Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does Apple detect UDID access during App review?

So apparently Apple has started to reject apps that use [UIDevice uniqueIdentifier]. I have heard reports of apps being rejected and approved in the past week that use it (some get through, some don't). However, none of the major advertising networks (that generate revenue for my app) have yet come out with an API that does not use UDID. All their APIs which are included in my app use it. They all say they are working on a new API and it will be out soon, but it may be a few months away.

It seems very strange to me that Apple would enforce this policy via the App review process, rather than through a new version of the OS that simply doesn't allow it (and people have lead time to program against during beta).

All that said, my question is how exactly does Apple detect if you are accessing the UDID during the app review? Do they somehow scan the bundle to see if the call is in there, or do they monitor the system calls actually being made while they test the app? I was thinking of perhaps not accessing the advertising APIs if the user wants to pay, or giving them the choice to go ad supported and therefore provide their UDID. But, I need to understand if Apple is rejecting based on [UIDevice uniqueIdentifier] simply being compiled into your code, or if they detect based on you calling [UIDevice uniqueIdentifier] during the app review test.

Please do not answer this question with the reasons why you shouldn't use [UIDevice uniqueIdentifier] or how to create your own UDIDs, etc, etc. My issue is third party libraries that I require that do not yet have an alternative solution. The question is: How does Apple detect UDID access during app review?

like image 823
user1301928 Avatar asked Mar 29 '12 21:03

user1301928


People also ask

Do apps use UDID?

UDIDs are commonly used by developers to help them find bugs and crashes by isolating a single device through the use of a UDID. They are also used when you download a free app off of the app store.

Is UDID safe to share iPhone?

Is it safe to give out my UDID number? No, it is not safe to give out your UDID number to third-parties you don't trust. This is a risk to user privacy which is one reason Apple limited the use of UDID numbers. For example, UDID number can link other kinds of information to that iOS device.

What can iPhone UDID do?

UDIDs are used to associate a device to an iOS developer account so that developers can install and test their apps before releasing them. Connecting the UDID to a developer account also allows that device to install beta releases of iOS for testing.

What are identifiers in Apple apps?

A bundle ID or bundle identifier uniquely identifies an application in Apple's ecosystem. This means that no two applications can have the same bundle identifier. To avoid conflicts, Apple encourages developers to use reverse domain name notation for choosing an application's bundle identifier.


2 Answers

They have been known to use static analysis, which basically scans your compiled binary for compiled versions of calls to specific methods. They also use this for detecting calls to private APIs. It may be possible to trick static analysis by constructing selectors from strings in creative ways. Though that is in no way honest or recommended.

But the more robust method is most likely via an HTTP proxy, through using your app they can watch HTTP traffic for any UDIDs that get sent out. Which may possibly be gotten around by hashing or 2way encryption. This also would not be honest or recommended.

And when iOS6 comes out this summer, the method will likely be completely removed, making all obfuscation of its usage completely moot.

like image 83
Alex Wayne Avatar answered Oct 12 '22 02:10

Alex Wayne


Apple has been reported to use static scans for all method signatures used within an app (to the point of occasionally rejecting an app for using the same message signature for a developer's own custom class as that of one of Apple's non-public APIs.)

In addition, they have also been previously reported to run apps under review on special hardware and or non-released OS versions, which may or may not include instrumentation of some sort, for instance on network traffic.

like image 40
hotpaw2 Avatar answered Oct 12 '22 01:10

hotpaw2