Thursday, 16 February 2012

Flurry analytics gathering UDID - as seen in mitmproxy

I had a play with mitmproxy today and opened a few apps on my phone to see what kind of traffic was going on. An interesting point of note was the use of Flurry in the Met Office app, and the fact that it sends my UDID over the network to a mahoosive database. Flurry and other mobile analytics tools are quite commonplace so there's nothing sinister about the Met Office app in particular (Rightmove and Pinterest are two others on my phone that I could have picked on), but the UDID can reveal a lot about a user and ultimately identify them. For identical privacy concerns Google Analytics stopped revealing visitors' IP addresses several years ago, if my memory serves me correctly. Anyhow, here's a snapshot from mitmproxy:

It's worth noting that Apple have deprecated the use of UDID in iOS5 and it'll presumably die sometime in the not too distant future. Just like losing IP addresses was no biggy for Google, losing UDID will surely be no biggy for the likes of Flurry.

Bigger losers might be some app developers that have used UDID in some fundamental manner to identify users - not for any creepy tracking or marketing way but as a convenient (lazy?) means of identification or authentication.

I'm pretty sure I wasn't asked about sharing data with Flurry when I installed any of my apps, but I did find this link where you can tell Flurry you don't want your activity monitored.

No comments:

Post a Comment

Comments are moderated, so you'll have to wait a little bit before they appear!