What Apple’s UDID phase out means to the iOS ecosystem

Apple is beginning to issue blanket rejections for apps that use Unique Device IDs (UDIDs) to track and identify users. Although the move is an answer to some of the privacy concerns around how iOS apps share user data, the lack of a clear alternative will have far-reaching impacts on how developers, analytics companies and advertising networks function and do business with one another.

UDIDs are 40-digit long, unique alphanumeric codes assigned to every iOS device. They’re used to track users from app to app, see what apps they’ve installed and how often they’re being opened, target advertising and measure the conversion rate and ROI of campaigns. Unlike other advertising tracking mechanisms, they can’t be cleared, blocked, removed or opted out of.

Apple has been trying to steer developers clear of UDIDS since the release of iOS 5.0 last August. At the time, the company depreciated access to UDIDs, telling developers to instead create their own identification systems. Depreciation in and of itself doesn’t necessarily mean much — there are still depreciated features from before iOS 5.0 in active use — so last month Apple raised the issue again, reaching out to developers to get the ball rolling on the transition away from UDIDs.

Even though the writing was on the wall for UDIDs, Apple’s move to reject apps that call on them was “an unpleasant surprise,” in the words of Michael Oiknine, CEO of mobile analytics company Apsalar.

Although the move doesn’t affect apps already in the app store, developers wishing to push updates or new apps will now need to ensure that both their apps and any third-party SDKs aren’t calling on UDIDs.

“We’re waiting to see how it falls out,” explains Lei Zhang, the US general manager of Chukong (PunchBox and CocoaChina). The company runs its own advertising service and developed Fishing Joy, one of the most popular games in China. “I think the first hit will be analytics companies and developers that depend on analytics, which is everyone. We’re using Flurry right now and Flurry uses UDIDs to track users. Our next submission to Apple is going to be problematic. We can remove advertisement SDKs, but analytics is something we live by. Right now we’re holding off on new submissions and updates.”

Oiknine echos Zhang’s sentiments that the real challenge for the ecosystem will be going forward.

“When you’re using Apsalar data from one app to another there’s no problem. Where it becomes a drawback for vendors like Apsalar and advertising networks is that everyone will come with their own user IDs,” he explains. “If I want to work with an advertising partner to leverage that data for retargeting I need to have a bilateral relationship so we know how to correlate their IDs to our IDs. It directly affects advertising and indirectly affects developers because they won’t have a way to determine the ROI on their advertising dollars.”  For its part, Apsalar is rolling out a new SDK next week that will use Apsalar IDs rather than UDIDs.

There are some alternatives to UDIDs. Among those proposed have been CFUUIDs (core foundation universally unique identifier), unique identifiers developers generate themselves, the so-far-sporadically adopted open source alternative OpenUDID and the Media Access Control (MAC) address of a device’s Wi-Fi interface. Unfortunately, the most promising of the three — MAC addresses — are also most open to the kinds of privacy complaints that have caused Apple to phase out UDIDs. Like UDIDs, they’re tied to a specific device and can be used to track a user’s location. Its also very hard to change or spoof a MAC address.

“The MAC address is as loaded as UDIDs. It’s also owned by Apple, and its a hardware address and for all practical matters its exactly the same as UDID,” says Oiknine. “My feeling is that if developers start using the MAC address, it will work for a while, but at some point we should expect Apple to crack down on the MAC address as well.”

According to Oiknine, what iOS needs is a universal system with a clear way for consumers to opt-out, similar to how Cookies work online. He predicts whatever the new system will be, it will be the companies that track user data, and not Apple that will lead the way.

“We need to find an opt-out mechanism and Apple doesn’t want to get involved in that.”