written by Paul DeHart, CEO and President
During the last 24 hours, the cyber attack of our system has garnered significant media coverage.
Many of our publishers have reached out to us for clarification, so we wanted to take a moment to clear up any misconceptions that may have arisen from the media coverage.
- The use of UDIDs was a reasonable industry practice and Apple itself has stated that they are still allowing UDIDs to be used in code bases.
- We do not handle credit card information, social security numbers, medical information or other highly sensitive information.
- We believe we have followed reasonable practices in how we have handled our collection of UDIDs, names, emails and similar information. Contrary to some of the information that has been reported, BlueToad believes that you will not be harmed as a result of the UDID information posted on the Internet. We do not suggest that you remove apps from your device or that you purchase a new device as a result of this incident.
- We have updated our code base in March to no longer use UDID information. We are in the process of upgrading all of our apps to this new code set. In addition, we have discontinued storing any UDID information sent to our servers by apps that have not been upgraded.
- We have never used UDID information in an improper or ill-advised manner. We did not store UDID information along with any other personally identifiable information – like names, emails, passwords, addresses, etc…
- We have never used UDIDs as an authentication token or password, to track user location or to tie a user’s device ID to other information.
- We are unaware of any Apple policies requiring UDID information to be encrypted. In fact, research has shown that many developers send UDID information without encryption protection. We believe we were operating within reasonable industry standards in transmitting this information, particularly given our limited use of the information.
- Some media reports incorrectly suggest that the token associated with the device allows the app to send push notifications to a user’s device. There are certificates that are required prior to sending the notification. As a security measure, we promptly expired all push certificates on our apps to ensure that notifications could not be sent.
- While there has been a recent movement toward characterizing UDIDs as sensitive information, it is simply a result of how this information has been used by other app developers (primarily as a form of authentication and in connection with much more valuable information), which BlueToad does not do and has never done.
At BlueToad, we have always made information security and consumer privacy a top priority. Given this incident, we are taking even greater steps to evaluate our current security measures and will continue to make changes where needed or appropriate.
Thank you for your understanding.