Bah, this is blown out of proportion a little bit. The UDID, by itself, tells a developer nothing about YOU. Its use is documented and encouraged by Apple for tracking user devices (which TFA admits). Now sure, if I were to also grab your address book I can tie that to your UDID, but it's my grabbing your address book that's the problem, not the UDID. I suppose if Apple wanted to make this more secure they could make the API automatically hash the UDID with your Application ID (also unique) and return that instead. You would still be able to use it for the same purposes as UDID was intended for, but NOT between apps.