About APNs tokens and duplicate UDIDs

David Schuetz found the source of the leaked UDIDs by tracking the duplicate UDIDs in the file. Great find!

While the result was confirmed by BlueToad, his intermediary assumption about the APNs tokens is not correct.

Interesting. Just noticed there are UDID duplicates in that data dump, with multiple APNS tokens. Different app providers, or multiple regs?

UDID duplicates do not come from multiple app providers or multiple apps. Any production app on a single device will get the same token. E.g. Facebook and WhatsApp will get the same token on the same device at the same time.

Tokens change when

  • the user switches devices, regardless of restored backups
  • the user restores a device to factory settings and does not restore his old backup
  • (possibly some Apple certificate expires, maybe once every year or two, maybe at major iOS updates)

Tokens appear to be derived from some device specific data (maybe the UDID), a key applied at device activation, and possibly Apple’s certificate.

So the duplicates likely stem from development devices being restored to new OS versions, as is apparent from some of the device names as well. “iPad 4.2” vs “iPad 4.3.1” on the same UDID.

Another way of one device having multiple tokens at the same time is production vs sandbox environment. But at any one time, a device will not have more than those two tokens (in the App Store context, MDM may be another story).

Another interesting data point are identical APNs tokens on differing UDIDs in the data set. By all accounts, this should be impossible, as confirmed by Apple (iOS Dev Membership required).