Is Apple going to stop people from abusing MusicKit developer token taken from music.apple.com

Many developers know that you can easily get a MusicKit developer token from music.apple.com. Just go to the console of the browser and input "MusicKit.getInstance().developerToken".

As of now, the token is

eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IldlYlBsYXlLaWQifQ.eyJpc3MiOiJBTVBXZWJQbGF5IiwiaWF0IjoxNjQ2NDM1NTgxLCJleHAiOjE2NjE5ODc1ODF9.Ob5bfZBWLDlDkR4r5fNXIjp1Y1G0qY5mP9MVBm1mDFjG701_6AcZS6nwjk-CMJE2b8VLv1JWxKR5j5BDkKxQ7w

This token is not like the one we developers generate ourselves that has many limitations. Instead, it is a privileged one that has some powerful features and is able to invoke some "private" API as follows:

  1. Deleting users' resources (for example, DELETE method on https://amp-api.music.apple.com/v1/me/library/songs/{id})
  2. Getting and showing lyrics
  3. Rename playlist, reordering songs in a playlist
  4. Many other features that music.apple.com could do but your apps couldn't

I think it's fine to use it privately and do not be evil, but Apple failed to stop people from abusing it.

I already spotted one app selling on Microsoft Apps Store(https://apps.microsoft.com/store/detail/cider-alpha/9P21XJ9D9G66) that is taking advantage of this "privileged" token.

Proofs are as follows:

fetch the privileged developer token
https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L3665

removeFromLibrary
https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L2254

load official AM lyrics
https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L2237

They get the token for free, take the source code from music.apple.com with some modification, put it into an electron app. Then sell it and beat other competitor apps because it's more "powerful".

And this makes me a developer obeying the rules like a stupid fool because

  1. I pay $99 for ADP to get the developer token, while they get it for free
  2. I got a token that has limited features, while theirs are far more powerful

I already submitted it to Apple but got no response. Apple should really start to do something, otherwise It's like telling every developer that:

Stop paying $99 for ADP to get your developer token, just grab it from music.apple.com. It's free yet super powerful to call private APIs and bypass limitations.

Answered by Media Engineer in 707595022

Thank you for sharing your feedback and concerns.

The only supported way of accessing the Apple Music API is by using the method described in Getting Keys and Creating Tokens. Any other method may be blocked at any time. To ensure continued access to Apple Music from your app or website, use only the documented method to obtain a developer token.

We are also always looking to enhance the Apple Music API available to our developers, and your continued feedback—including the feedback in this post—helps drive that. Please continue to file any additional feedback about important missing functionality via Feedback Assistant.

@eskimo see above.

i fully agree with this, how on earth did apple even allow this FREE api token to become this powerful?

Well isn't this interesting! With absolutely no disrespect meant to the MusicKit team, who are no doubt limited by time, resources, and internal corporate priorities us outsiders have no idea about, It is frustrating to play around with this token and see so many of the features I would love to include in my app, such as:

  1. Deleting library items
  2. Time-synced lyrics
  3. Artist images
  4. Available audio qualities

The MusicKit API and web API have already come a long way towards leveling the playing field for third party Apple Music apps, but there are still lots of gaps, which can make our apps feel like second-class citizens. Maybe there are licensing issues preventing features like lyrics, but it is impossible for developers to know the surrounding context, and we are just stuck filing feedbacks and awaiting WWDC each year.

If the permissions included in this token were officially supported, my app would be better for it. Here's hoping!

Wow, this is interesting. Really want to know how Apple deals with this

Thank you for sharing your feedback and concerns.

The only supported way of accessing the Apple Music API is by using the method described in Getting Keys and Creating Tokens. Any other method may be blocked at any time. To ensure continued access to Apple Music from your app or website, use only the documented method to obtain a developer token.

We are also always looking to enhance the Apple Music API available to our developers, and your continued feedback—including the feedback in this post—helps drive that. Please continue to file any additional feedback about important missing functionality via Feedback Assistant.

The privileged token could also be used to wipe a user's music library maliciously

Users sign in to their Apple Music account on any apps or websites without worrying security issues because

  1. Only Apple official apps and website could delete user's content
  2. Users could review the info and then grant permission before they sign in 3rd party apps

But that github project has bypassed all the protections mentioned forehead by using the privileged token, and users could hardly notice it. Therefore anyone using their app has a potential risk to lose all his/her content in the library. And if it does happen, Apple will be blamed for not patching this vulnerability and not stopping people abusing it.

I think a warning letter should be sent to that github project. Right now they are promoting their app and receiving sponsorships.

I noticed Apple has added verification to the token that music.apple.com is using, i.e added root_https_origin to the token payload. For anyone interested, please visit the link below:

https://jwt.io/#debugger-io?token=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IldlYlBsYXlLaWQifQ.eyJpc3MiOiJBTVBXZWJQbGF5IiwiaWF0IjoxNjQ4NzAyODQ1LCJleHAiOjE2NjQyNTQ4NDUsInJvb3RfaHR0cHNfb3JpZ2luIjpbImFwcGxlLmNvbSJdfQ.YKJYticxSydqqyApFTAJjYURls4Oqb5b0VjbCxqJsYIPU4CtI1tCsk9697VOmwQdhIIsTpYprRcoA1qj_72RHw

But the Cider app still managed to find a work around to bypass the verification. The proof is as follows:

curl --location --request GET 'https://api.cider.sh/v1/' \
--header 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Cider/1.1.573 Chrome/96.0.4664.110 Electron/16.0.8 Safari/537.36' \
--header 'Host: api.cider.sh'

The token returned could still be used to call the "https://amp-api.music.apple.com" endpoint.

I appreciate Apple listen to our voices and respond quickly. But please do one more step to enforce the API endpoint so that token without root_https_origin in the payload cannot be used. Or perhaps there might be better ways to eliminate this workaround.

I appreciate Apple has made some improvement to fix this issue but there is still a workaround left behind. For more info please see my newest answer or visit this link.

Not very related to this topic, but some interesting messages found in Cider's Discord: https://discord.com/channels/843954443845238864/843954444747669507/959233928512806942 https://discord.com/channels/843954443845238864/868603096010485812/959231743800512532

Is Apple going to stop people from abusing MusicKit developer token taken from music.apple.com
 
 
Q