Major cellphone game networks have been handling the unique ID numbers on smartphones in insecure ways – in some cases even allowing access by a potential cybercriminal to a user’s Facebook and Twitter accounts – new research suggests.
These unique identifiers – long strings of numbers and letters associated with the phone – don’t themselves hold any information about users. But app developers and mobile ad networks often use them to keep track of user accounts, sometimes storing them along with more sensitive information like name, location, e-mail address or social-networking data.
In effect, the developers are using these phone identifiers as a “key” to the other information. But the problem is that phone identifiers don’t make a very secure key, said Aldo Cortesi, a security researcher who has been studying these vulnerabilities for several months.
The wide use of phone IDs means that they are not secret values, Cortesi says, and many apps can access the phone ID with relative ease. […]
Cortesi confined his tests to Apple devices only and studied seven major game networks, including Crystal, the game network of Chillingo, which publishes “Angry Birds”; and “FarmVille” maker Zynga.
The networks leaked information to Cortesi ranging from the player’s user name to email addresses, location, gender and friends. All of the networks except one – Plus+ – would allow a person to log in as another user by using the stolen device ID. And two – Crystal and Scoreloop – allowed access to Facebook and Twitter information in some way.
Some of the networks used cryptography to prevent the IDs from being used this way, but Cortesi said he has verified that it’s possible to circumvent that protection.