It's become quite a popular parlor game to guess who is responsible for the recent Antisec UDID leak. I've now seen no less than six separate apps named as the probable source (two of which came from Marco Arment). Before we pick the next culprit, I think it's worth taking a step back to consider the list of things we don't know:

  • We don't know that we're dealing with just one source. The Antisec dump may well be an amalgam of data from various sources.
  • We don't know that we're looking for just one app, or even a set of apps by one developer. The leak may well come from one of the myriad of 3rd party services which could be included in thousands of apps.
  • We don't know that Antisec is being truthful about the scale of the database, or the additional data they claim is associated with the UDID/APNS records.
  • We certainly don't know that the data was filched from an FBI laptop or that the NCFTA was in any way involved.

Given all of these unknowns, I think a simple process-of-elimination approach to tracking down the leak will probably be fruitless, or worse, result in the finger being pointed at even more innocent parties. The one entity that may already have the answer to this question is Apple. They have a list of a million affected UDIDs, and they presumably have records of all apps that have ever used the associated push tokens. Given a large and precise sample like this, it should be possible to find the origin(s) of the leak reasonably easily. Indeed, if Apple is on the ball they may already have done this.

Now for some frank speculation of my own. Let's assume for a moment that Antisec has been entirely truthful about the data, and that we're dealing with a single source. In that case, we're looking for:

  • ... an app or third-party service integrated into multiple apps
  • ... with 12 million or more users
  • ... that is APNS-enabled
  • ... which also gathers user data like real names and zip codes.

I'll throw my hat in the ring and say that my money is on a third-party service, not a single app. If my hunch is right, the list of possible culprits is actually rather short.