Post

Replies

Boosts

Views

Activity

Is Apple going to stop people from abusing MusicKit developer token taken from music.apple.com
Many developers know that you can easily get a MusicKit developer token from music.apple.com. Just go to the console of the browser and input "MusicKit.getInstance().developerToken". As of now, the token is eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IldlYlBsYXlLaWQifQ.eyJpc3MiOiJBTVBXZWJQbGF5IiwiaWF0IjoxNjQ2NDM1NTgxLCJleHAiOjE2NjE5ODc1ODF9.Ob5bfZBWLDlDkR4r5fNXIjp1Y1G0qY5mP9MVBm1mDFjG701_6AcZS6nwjk-CMJE2b8VLv1JWxKR5j5BDkKxQ7w This token is not like the one we developers generate ourselves that has many limitations. Instead, it is a privileged one that has some powerful features and is able to invoke some "private" API as follows: Deleting users' resources (for example, DELETE method on https://amp-api.music.apple.com/v1/me/library/songs/{id}) Getting and showing lyrics Rename playlist, reordering songs in a playlist Many other features that music.apple.com could do but your apps couldn't I think it's fine to use it privately and do not be evil, but Apple failed to stop people from abusing it. I already spotted one app selling on Microsoft Apps Store(https://apps.microsoft.com/store/detail/cider-alpha/9P21XJ9D9G66) that is taking advantage of this "privileged" token. Proofs are as follows: fetch the privileged developer token https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L3665 removeFromLibrary https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L2254 load official AM lyrics https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L2237 They get the token for free, take the source code from music.apple.com with some modification, put it into an electron app. Then sell it and beat other competitor apps because it's more "powerful". And this makes me a developer obeying the rules like a stupid fool because I pay $99 for ADP to get the developer token, while they get it for free I got a token that has limited features, while theirs are far more powerful I already submitted it to Apple but got no response. Apple should really start to do something, otherwise It's like telling every developer that: Stop paying $99 for ADP to get your developer token, just grab it from music.apple.com. It's free yet super powerful to call private APIs and bypass limitations.
9
0
4.8k
Mar ’22