Since iOS5 beta6, Apple has banned access to the iPhone UDID. The iPhone UDID is a unique device identifier which can be used to track users. Many applications use the UDID to prevent signups, but also to track users for advertising.

All around the web, people think Apple is doing this to prevent advertisements, when in fact this is done to protect the users data. Consider the following:

Joe buys an iPhone 3GS. Let’s say his UDID is 123. Joe downloads an application which stores notes on a server. Joe didn’t have to create an account with the service, as his UDID was used. All is well so far.

Now, Joe sees a great advertisement about the new iPhone 5 ;), and decides to buy it. He won’t be using his old iPhone 3GS anymore, so he decides to whipe the phone’s data, and sell it to Adam.

Joe restores his backup to the phone, and continues using it as he always did.

Adam, on the other hand is discovering the whole App Store thing, and installs anything he can find. One day he finds this note-taking app and installs it. To his surprise, the application was filled with existing notes from Joe. Joe had used the notes app to store his creditcard information and other personal stuff.

What happened?

Because the UDID will not change when whiped or transferred, the UDID is a bad identifier to track users. Apple has (thankfully) recognizes this issue, and has banned access to the UDID.

What should devs do?

Developers should use a different method of identifying people. I hope Apple will create an API for this, similar to the Notifications API. Ideally, you would be able to get someone’s apple-id, or a uniquely generated id based on someones appleid + the applicationid (+ optionally the device id).