How does Apple detect UDID access during App review?

6
votes

So apparently Apple has started to reject apps that use [UIDevice uniqueIdentifier]. I have heard reports of apps being rejected and approved in the past week that use it (some get through, some don't). However, none of the major advertising networks (that generate revenue for my app) have yet come out with an API that does not use UDID. All their APIs which are included in my app use it. They all say they are working on a new API and it will be out soon, but it may be a few months away.

It seems very strange to me that Apple would enforce this policy via the App review process, rather than through a new version of the OS that simply doesn't allow it (and people have lead time to program against during beta).

All that said, my question is how exactly does Apple detect if you are accessing the UDID during the app review? Do they somehow scan the bundle to see if the call is in there, or do they monitor the system calls actually being made while they test the app? I was thinking of perhaps not accessing the advertising APIs if the user wants to pay, or giving them the choice to go ad supported and therefore provide their UDID. But, I need to understand if Apple is rejecting based on [UIDevice uniqueIdentifier] simply being compiled into your code, or if they detect based on you calling [UIDevice uniqueIdentifier] during the app review test.

Please do not answer this question with the reasons why you shouldn't use [UIDevice uniqueIdentifier] or how to create your own UDIDs, etc, etc. My issue is third party libraries that I require that do not yet have an alternative solution. The question is: How does Apple detect UDID access during app review?

2
iosiphoneappstore-approval
"rather than through a new version of the OS that simply doesn't allow it" but then Apple couldn't use it. ;)Joel
Removing the API, without forcing developers to update apps first, would break existing approved and purchased apps currently running on customer's devices, potentially creating customers very unhappy with the OS update.hotpaw2

2 Answers

7
votes

They have been known to use static analysis, which basically scans your compiled binary for compiled versions of calls to specific methods. They also use this for detecting calls to private APIs. It may be possible to trick static analysis by constructing selectors from strings in creative ways. Though that is in no way honest or recommended.

But the more robust method is most likely via an HTTP proxy, through using your app they can watch HTTP traffic for any UDIDs that get sent out. Which may possibly be gotten around by hashing or 2way encryption. This also would not be honest or recommended.

And when iOS6 comes out this summer, the method will likely be completely removed, making all obfuscation of its usage completely moot.

2
votes

Apple has been reported to use static scans for all method signatures used within an app (to the point of occasionally rejecting an app for using the same message signature for a developer's own custom class as that of one of Apple's non-public APIs.)

In addition, they have also been previously reported to run apps under review on special hardware and or non-released OS versions, which may or may not include instrumentation of some sort, for instance on network traffic.