I’m doing a security audit for a friend who is fleeing a domestic abuse situation and I’m uncertain whether app developers can see the AppleID used on an iOS device. This is just a long explanation post so feel free to skip and respond to the simple question of “can apps see your AppleID?” If you have first hand experience as a developer.
I’ve heard Uber was cracking down on people making multiple accounts on the same device for free first time customer promotions a while back. And I wasn’t sure if Uber was tying the app install instance to an AppleID or a unique device ID.
Here’s a specific scenario. Suppose my female friend is using a certain app for years on her main Apple ID. Let’s say it’s an email app, which to protect her, I’ll call MPU-Mail. So she has MPU mail app installed from her AppleID on her iPhone. And she logs into MPU mail with her real name JaneDoe @ Mpumail . com
Now Jane is being harassed by a former boyfriend who has ties to… let’s just say he can track phones, and yes authorities are involved, but he’s good at covering his tracks.
Jane buys a brand new prepaid iPhone with cash and creates a new AppleID with a fake name. Assuming Jane never uses the actual phone number for anything and just uses encrypted messaging and encrypted email, can she be tracked based on the app developer having a record of her Apple ID?
Specifically, since Jane used to use MPU Mail app on her old device, and since that’s her main email for work and professional purposes, she wants to install MPU mail on her new prepaid iPhone with a new fake name AppleID so she can keep getting access to the email on her new phone.
But I told her I’m concerned MPU Mail app developer can see her AppleID so her stalker could get MPU Mail to hand over her account details, which would include the new AppleID that otherwise has zero linkage to her, except for the fact that she logged into MPU mail with her old username on the new iPhone. Which once he has the new AppleID he can follow her movements again.
So… can developers see AppleID? And if they can only see a unique device ID, could that be traced back to the AppleID through Apple? Or is the unique device ID only generated locally on the device and never transmitted to Apple? Perhaps based on some algorithm one way hash.
I don’t want to give specifics of her stalker, but he does this professionally and it’s within the realm of possibility he might get MPU mail to hand over her new AppleID.
It’s also possible he might get MPU mail to hand over the unique device ID of her new phone and then have Apple hand over the AppleID associated with that unique device ID, if Apple has that information.
There’s a lot I’m helping “Jane” with, but this right now is my immediate concern and depending on the answers to these two questions, she may just wind up accessing this email over a web browser using a VPN since then it’s unlikely MPU mail can turn over anything useful to her stalker.