Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

App runs opt-out code #9

Open
silverdirectxer opened this Issue · 8 comments

4 participants

@silverdirectxer

It is said that the opt-out code will be provided in open source. What about if someone write an app that automatically runs the opt-out code? So all other apps that using secureudid for tracking will stop functioning too?

@mattmassicotte

The reliance on shared, mutable data across all applications means it is possible for any application to automatically opt-out, change, or even delete what's there. This is definitely a limitation. Open to suggestions!

@jseibert
Owner

You're totally right - this initiative (unless Apple picks up and implements it at the OS level) certainly relies on apps to Not Be Evil. Here's hoping :)

@blitzvb

no matter what, people that could messed up with that secureID were already able to change their UDID via UDID faker ... so it's no big deal to me.

@silverdirectxer

The problem is, people has to jail break their machine in order to UDID faker themselves. But in this case, users don't even know they have downloaded an app that opt-out secureUDID, and this opt-out action is harming any other apps on the devices that using secureUDID!

Imagine if angrybird has the opt-out code, how many of the devices are not secureUDID available already??

@jseibert
Owner

What would an app's incentive be to include and auto-run the opt-out code?

@silverdirectxer
@blitzvb

agree it's a problem. What if the opt-out code was very visual and involve the user like : "Are you sure you want to opt-out bla bla ... Application XXX and XXX are using this, there is risk that those application will cease functioning"

In order to make it work, a secureAppID given by secureID would be necessary in order to identify each apps ... Only identified app will be able to opt-out.

But that began to look like very close to an ads company :/

@jseibert
Owner

Interesting idea, but any application evil enough to opt-out is evil enough to comment out the user-facing code :)

In my mind there are limits to how secure a completely open-source solution can be in this regard. The only real option would be to provide a static, compiled library with hidden obfuscated crypto keys that enforced UI on opt-out or something.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.