De-anonymizing Apple UDIDs with OpenFeint

I would imagine there are plenty of ways to get a unique ID for a phone, by fingerprinting the system or saving a cookie, so Apple providing an ID in the API is not really an issue. These are the issues:<p>1. OpenFeint needs to lock down their DB<p>2. Phones are great for spying on people

tl;dr version: it shouldn't be possible to pull out somebody's account information based solely on the UDID.<p>It's simply wrong to authenticate people based solely on UDID anyways - what if the same user have one iPhone 3GS, one iPhone 4, and an iPad 2? In that case you'd need another authentication mechanism to make sure the three devices belong to the same user. The UDID is good only for telling the devices apart. So if you gave me Jane's iPad's UDID, I shouldn't really do anything unless I've made sure you're Jane in the first place.

It wouldn't surprise me if something similar were happening on Android. To minimise issues like this, I use DroidWall on my rooted G1 to prevent apps connecting to servers on the net if I don't think they have a good reason to.

"not permitted to publicly link a UDID to a user account"? Really? But that's exactly what Plus+ is doing:<p>Register in Plus+ game 1, then open Plus+ game 2 and it promptly recognizes your account.<p>Appalling.

Notice that the pattern becomes problematic when you include facebook in the picture, because that's where people give away their real data. I don't think it's an issue with UDIDs - they are an essential component with minimal privacy implications in itself. The problem is mostly with facebook's weak privacy tactics. There is no privacy setting that can hide your fb uid, and indeed, facebook has been very lax about giving it away to just about anyone.