A UDID is a unique identifier associated with every IOS device. Any installed app can access the UDID without the user's consent - of a sample of 94 apps I tested, 74% sent the UDID to one or more servers on the Internet, often without encryption. In this paper, I show that that there is a pervasive mis-handling of UDIDs by social gaming networks, allowing an attacker with a UDID to access user information, compromise a user's social gaming accounts, and, in some cases, compromise Twitter and Facebook accounts. These vulnerabilities affect all the major social gaming networks, and potentially span tens of millions of users.
I also introduce mitmproxy, an open-source SSL-capable man-in-the-middle proxy which was used to obtain these results. My hope is that tools like this will make it easier to inspect device traffic and spot this kind of problem early.