Howettblog®

iTunes App Store Hacking

by on Dec.19, 2008, under Hacking

App Store Category List

App Store Category List

Last night, I tried to figure out how the iTunes App Store (as accessed from the iPod Touch) worked.
I was able to simulate the app store experience, and here are the few notes I took on the matter.

All replies from the App Store are gzip-compressed.
If any of these steps fails, the connection is terminated.

  1. The device queries phobos.apple.com for a “bag” (ix=2), which contains a signature and a signing key.
  2. The device sends a non-binary plist (XML property list) of its current applications to a WebObject called “availableSoftwareUpgrades”
  3. The app store replies with a list of all the information for those applications. It is up to the iPod itself to determine whether/not there are upgrades.
  4. Periodically, the device makes a request to metrics.apple.com (which replies 100 Continue instead of 200 OK), which I believe is for stats tracking.
  5. The device reads software categories and loads icons (WebObject viewFeaturedSoftwareCategories)
  6. The device loads the contents of a category (WebObject viewGenre)
  7. The device loads an application’s information descriptor (WebObject viewSoftware). This for some reason contains the text to be used in the price display, as well as the “INSTALL” or “BUY NOW” text.
  8. The device initiated a secure connection to download an application. This is where I had to stop my research, as I couldn’t track this.

Tools used:

  • curl (Commandline URL Fetcher)
  • Wireshark (packet capturer/analyzer)
  • Apache (Web Server, used here to serve fake App Ptore pages)
  • A single firewall rule on my router to redirect all traffic coming from the iPod back to my computer (iptables -t nat -A PREROUTING -s ipod -p tcp -j DNAT –to 192.168.254.1. Note: I couldn’t redirect to a computer inside the router’s network, so I had to hook up via WiFi to the router AND via Ethernet to the modem)
Modified App Store Application

Modified App Store Application

Not much useful information into the app loading process was gleaned from this, unfortunately, though I did manage to snap some “neat” screenshots of my meddling.

Applications are signed, though, so even if this was an exploitable vector, the device would need to be jailbroken first, thus making this useless.
Neat nonetheless.

:,

5 Comments for this entry

  • Piers

    nice, what were the URLs the phone sent to get info from the server?

    • Dustin

      Hmm, let’s see….

      All URLs are relative to phobos.apple.com

      Bag: /bag.xml?ix=2
      viewSoftware: /WebObjects/MZStore.woa/wa/viewSoftware?id=294773236&mt=8
      availableSoftwareUpdates (POST plist of software): /WebObjects/MZPersonalizer.woa/wa/availableSoftwareUpdates
      viewFeaturedSoftwareCategories: /WebObjects/MZStore.woa/wa/viewFeaturedSoftwareCategories
      viewGenre: /WebObjects/MZStore.woa/wa/viewGenre?id=6014&mt=8&selected-tab-index=0

      Metrics: various arguments to metrics.apple.com/b/ss/applesuperglobal/1/G.6–NS

  • JStraitiff

    thats pretty cool. always interesting to see how the things we overlook everyday actually work behind the scenes.

  • Todd

    Nice article. Do you know if it’s possible to get a list using curl of all the apps in the appstore that are free? I’ve see some appscrap scripts for getting reviews and such but nothing directed at free apps. I know the appId for free apps is 27..but not sure what the URL would be? Have any idea on this?

  • Jim

    Dear,
    please sorry if im disturbing you, all.
    but i have a probs that still no solution.

    I got an Iphone 3GS, ios 4.1, MB715LL/A ( new boot i guess)
    i already tried all JB n Unlock methods, even with offline metode, but still none working. i bought from US, AT&T now brought to Indonesia.
    it always kept restarting, kinda empty battery, and funny thing, there’s no base band detected, even i tried to inject ipad baseband 06.15, still not working. no wifi, no btooth. here i atached the pic of my 3gs. the installed firmware is not detected either

    Redsn0w, Sn0wbreeze and offline metodes all none working.

    Please help.

    Thanks.
    respectfully yours
    Saputra

    http://img571.imageshack.us/img571/1126/img0002ys.jpg

    http://img148.imageshack.us/img148/6121/img0003on.jpg

Leave a Reply

You must be logged in to post a comment.

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Blogroll

A few highly recommended websites...