Our DNA is written in Swift

Podcast #31 – “UDID Fire”

Episode 31, recorded Saturday March 31st, 2012 – UDID FIre

Mach ado about UDID, jobs for iOS developers abound and my guest today is Appsfire Co-Founder Ouriel Ohayon.




Apple informed developers via e-mail that iTunes Connect will have individual reports for Sweden and Denmark from now on. For March, app sales earnings in Sweden and Denmark will be split and reported in two different documents, one covering the time period before the change and one covering the time period after the change. Earnings from sales that occurred before the change will be in the Euro-Zone (EUR) financial report. Earnings from after the change will be in the new financial reports for Sweden (SEK) and Denmark (DKK).

I am wondering what the benefit to us developers will be. Are the reporting guys SEARCHING for work to do that nobody actually cares about, just so that they are not bored?

Speaking of non-sensical changes: Apple invented two new price tiers. Tier 63 is $124.99 and Tier 69 is $174.99. Both tiers are available for both apps and In-App Purchases. Can anybody explain to my what this is good for? Are apps too cheap? Does Zynga want to sell more expensive In-App-Crap? You know, lower levels of tiers usually correspond with the price in dollars. The geek in me revolts, what is the secret algorithm here?

UDID, or didn’t you? Now that some rumors seemed to indicate that Apple might be beginning to reject apps that are using the unique device identifier developers are scrambling and are ripping out the trusty old identification code and replacing it with something new. But that only seems to be part of the story. Tapbots published the original rejection letter they received from Apple and this contains some very interesting information. This letter says that they where sending identity information to their server without having asked the user.

Apple seems to actually do a man-in-the-middle attack on HTTPS when reviewing our apps. Tapbots was sending the UDID in a HTTP GET request over HTTPS. If you simply look at the data packets then you don’t know the URL that is being requested because the first step in the HTTPS is to do a CONNECT. Then the GET is performed and already encrypted. This man-in-the-middle means that Apple has a tracing server that spoofs the HTTPS target and re-signs the packet such that it is still accepted by the URL connection on the device.

This is technically easy, I blogged about how to spy on any app’s traffic with the Charles debugging proxy app. What’s interesting that we learn for the first time that not even encryption is holy to Apple. So if you are sending something naughty to your server, then don’t rely on HTTPS thinking that nobody can see the contents. Better to send hashes instead of plain text. This is sort of similar to when the Path app sent your address book.

Many people ask: what should be use instead of UDID and the privacy advocates generally say: nothing. A user is not the same as a device. About the only market that requires to uniquely identify devices is advertising, especially when it comes to conversion tracking. If you need to have some sort of temporary identifier then you can use CFUUID to create one and then you can store it in the keychain. This will persist even when the app is removed as opposed to the user defaults.

For those who are developing libraries for ad networks the de facto standard has become the OpenUDID project which is available on GitHub. It was developed by on of the founders of Appsfire. There is a second competing project called SecureUDID but when I surveyed the market as to which is winning I found that most ad networks had switched to using OpenUDID. This includes the MobFox framework which you might know that I originally developed.

Flurry Analytics reports the relation of income of the three major app stores: Apple’s app store, the Amazon app store and Google Play (aka the Android app store). The comparison they came up with is this:

$1 on Apple’s App Store is 89¢ on Kindle and 23¢ on Android

What’s interesting is that Amazon is able to get the value proposition for developers into the vicinity of where it is for us iOS developers. Well it certainly helps to have the marketing experience of the world’s largest retailer and a dedicated device that locks people into their marketplace. And it still gives us a warm and fuzzy feeling that we are focussing on the app store where the most money is made. Our grass is greenest, yeah!

Here’s another good reason why we developers should always buy the latest Apple devices. An iOS forensics company has created a tool that lets law enforcement officials find out your passcode lock. There’s a video where you can see them boot an iPhone with their own custom boot loader. iPhone hacker Chronic has told me that iOS devices with an A5 chip are safe.

A5 devices can be jailbroken on a per-firmware basis, but their exploit(s) are userland-level, so passcode lock is safe.

That means you should have no less than an iPhone 4S if you are worried about that the law or some lawless thugs who got hold of this software can decrypt all your secrets. Hey, it’s a business expense and of course we need proper test devices for our jobs.

Speaking of security, the Australian Department of Defence has published a PDF that treats in great details all the security aspects involved in using iOS devices in official agencies. It’s a great manual to have and pass on to IT guys who are evaluating use of iOS devices in the enterprise, it contains background information as to which questions you should ask from government contractors whose apps are to be used on those Secret Agent devices. Conversely if you ARE such a developer who is interested in the vertical market of government software then this guide contains all the questions that you probably will be asked. So you can prepare yourself accordingly, and have your apps be secure by design.

If you are looking for iOS or Mac developers for your compony or are looking for employment as such then I’d like to draw your attention to my new hobby project. I wanted to have a blog – combined with Twitter feed – where you could get the pulse of our industry. Though I don’t want to have any extra work, so I made it such that if you create a login on XcodeJobs.com you can write a short blog post about the positions you are trying to fill. This I can then publish very early. If that is too much effort for you then you can also tweet me a link to the job profile on your own site and I’ll retweet it with the @XcodeJobs twitter account.

This is completely non-commercial and Recruiter-free. When I was looking for a name for this baby I realized that all my favorite platforms we use Xcode to develop for. And since the name was free I grabbed it. If I hear from Apple’s legal department I can always change it later. But they say: “we’ll cross this bridge when we get to it”. Right now there are record numbers of people tweeting about the site and following the Twitter account. So why not benefit from this attention too?

Oh and speaking of hiring. I have hired my first actual real employee! And it’s great! He’s going to start working with us next month and I can already feel our output increase. Many iOS developers shy away from this sort of commitment, OMG how much that costs. What if you don’t have any work any more? But the reality is, that work always grows larger and larger and frankly I cannot afford to pay for contractors. At the current rates an employee costs me about a third as much as a contractor based in USA or Europe.

Guest: Appsfire Co-Founder Ouriel Ohayon

We chat about why there is a need for a UDID-replacement and what is is used for.
Appsfire App on the App Store


I love to hear from you, you can email me at oliver@cocoanetics.com or tweet me @cocoanetics. If you want to give me audio feedback or have some interesting comment for me to play on the show please call my Google Voice mailbox:  (415) 860-4324

Categories: Podcast

Leave a Comment

%d bloggers like this: