updated 02:00 am EST, Tue February 26, 2013
Alternative to UDID rejected, Ad Identifier now mandated
Developers who attempt to circumvent Apple's own Advertising Identifier with other methods to track users and ad impressions may now find their apps rejected by the App Store. The company is now -- nearly two years after announcing that it would be abandoning the former Universal Device Identification (UDID) method for ad tracking -- enforcing developer guidelines that mandate the use of Apple's Advertising Identifier (which can be turned off by the user) as the main allowable ad tracking standard for ad networks.
The previous UDID did not contain any personal information about users itself, but could easily be combined with other information such as location and app usage to create (if the various information was pooled together) a profile of a given mobile device's primary user. Ad agencies have complained that Apple's AdID doesn't give them quite as much information about users as other methods, and have developed workarounds to try and gain further information without explicit user consent. Apple began banning apps using UDID tracking last March.
One of the most insidious methods is known as "cookie tracking," sometimes called "Safari flip-flop" or "HTML5 first-party cookies," according to TechCrunch. Under this method, Safari is briefly launched so that a cookie can be established before returning to the app. The cookie is then updated with any previous ad interaction information and ongoing tracking of any user interaction with future ads in the app. Apple is currently still allowing existing apps to use the method, but rejecting new apps that try to use it, meaning that over time apps will no longer be able to rely on the function -- at least not without explicit user "opt-in" to alternative methods.
Cookies themselves are generally not considered a security issue, and are mainly used for data such as remembering who a user is when they revisit a store or keeping track of how many times they have done so. Apple has been reticent to enforce its own rules on alternative methods of ad tracking over the past two years, but the recent rejection of some half-a-dozen apps that use cookie tracking -- including big-name brands such as Hotels.com -- indicate that the company is now requiring developers to rely on the AdID information or get user permission for anything else. The AdID was introduced with iOS 6 and final user control over it was part of iOS 6.1.
The Advertising ID method pushed by Apple works to ensure that personal information is not tied to the device identifier, with the company describing it as "non-permanent, and non-personal" that all advertising networks working with iOS devices will eventually be required to use. Users can turn off ad tracking, but in turn the ads shown to the users will no longer be targeted based on information learned about them. Google, for example, has built its empire on its success at targeting ads that users might be more interested in based on its tracking of what users do, where they go and what they say they like, buy or use.
There are unsubstantiated reports that some apps are disabling the "cookie tracking" code during the app review phase and then reactivating it on first launch, but even if true Apple will eventually bar all such use of the technique and pull or disable apps that violate developer guidelines. In the wake of the UDID phase-out, the mobile advertising community has yet to coalesce around a single replacement standard, but as iOS is by far the largest and most lucrative mobile ad outlet, Apple's new enforcement of its own standard is likely to become the de facto bar for the industry.