A UIApplication method (registerForRemoteNotificationTypes:) negotiates with apples servers using device information to obtain a 32-byte push token unique to a given device/app pair. It is likely based on the device's global id (UDID) and the application's appid and certificates. Someone should figure out the exact network handshake.
Any app developer is capable of collecting UDIDs using their released apps (the UDID is constant and visible across all apps). Note, having the UDID does not necessarily mean you can obtain the push token. But you may be able to derive the push token from it and from information contained in the app.
Assuming you could figure out someone's push token, you could to cause a push to show up in the name of the app whose certificate/key you've obtained!
> 32-byte push token unique to a given device/app pair. It is likely based on the device's global id (UDID) and the application's appid and certificates.
This isn't quite correct, the device token is not unique per app, it's unique per device. (Technically, a device will have two tokens, one for the APNS sandbox, and the second for production.)
The device token can't be derived by mere mortals, it is a cryptographic identifier returned from APNS to the device.
Any app developer is capable of collecting UDIDs using their released apps (the UDID is constant and visible across all apps). Note, having the UDID does not necessarily mean you can obtain the push token. But you may be able to derive the push token from it and from information contained in the app.
Assuming you could figure out someone's push token, you could to cause a push to show up in the name of the app whose certificate/key you've obtained!