Friday, August 19, 2011

iCloud Key-Value is better than a UDID

There is a lot of chatter about Apple depreciating the UDID API and apparently providing no alternative to track a user.  Firstly, lets clear up how insecure and unreliable using the UDID is for identifying a user, which is tied to the device.  The user's device could be

  • lost,
  • stolen,
  • replaced / exchanged,
  • sold or
  • given away.

That UDID is now potentially in the hands of another individual, even if you remote wipe your device.

Beginning with iOS 5, Apple is providing a secure service called iCloud Key-Value storage that will serve as a superior alternative.  iCloud K-V storage offers a limited amount of space in the cloud for a single application or shared between a suite of applications; either scenario is at the app developer's discretion.  If your application requires access to it's own servers for user-specific information, you can store a unique token in their iCloud K-V store to reunite your application with their data, without them ever having to log in again* after the initial handshake.  This applies even when the user replaces their device, as the token is stored in the cloud.

Apparently, Pandora uses the UDID to remember your profile and potentially exposes your playlists if your device falls victim to one of the more dubious fates mentioned above.  Easily solved if you follow a pattern similar to the following sequence diagram:

cdraw

Naturally, you should take the appropriate measures to secure the conversation between your app and your server.

If you do need to track a specific device, there are ways to programmatically obtain the MAC address.  Not something I would recommend.

* Apple is yet to address a significant caveat regarding the lack of multiple Apple IDs under a single iTunes account.  Your iCloud account is your Apple ID, and that implies all your family members must log in to the same account, providing no way to separate users.

No comments: