[HN Gopher] AltStore: An alternative app store for non-jailbroke...
___________________________________________________________________
AltStore: An alternative app store for non-jailbroken iOS devices
Author : dariosalvi78
Score : 148 points
Date : 2020-11-08 20:40 UTC (2 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| bgia wrote:
| This system resigns app with your developer signature, and to
| work around the expiration leaves a server running on your
| computer that periodically resigns apps and updates them over the
| air on your iPhone.
|
| I think this is simple yet genius. I wonder if it works on
| AppleTV as well?
| harikb wrote:
| Doesn't the user also need their own Apple Developer account?
| latchkey wrote:
| https://altstore.io/faq/
|
| Why do you need my Apple ID?
|
| Apple allows anyone with an Apple ID to install apps they've
| built themselves onto their devices for testing. AltStore
| uses your Apple ID to communicate with Apple's servers on
| your behalf and perform the necessary steps to prepare your
| account for installing apps onto your device.
|
| Why does it say my apps will expire in 7 days?
|
| Unfortunately, apps that have been installed using non-
| developer Apple IDs (in other words, Apple IDs not tied to a
| $99/year Apple developer account) are only valid for 7 days,
| at which point they will no longer open. To compensate for
| this, AltStore will periodically attempt to refresh your apps
| in the background, and you can always manually refresh your
| apps from within AltStore.
| maskedinvader wrote:
| This is brilliant workaround, wonder if apple will try taking
| this down or let this be.
| gameswithgo wrote:
| Hah! I don't wonder. They will probably just find a way to make
| this not work.
| saurik wrote:
| Apple keeps adding restrictions to what free developers can do,
| which makes this less and less viable. They also made a major
| change to their authentication mechanism for these free
| developer accounts last year, which (to avoid a lot of reverse
| engineering of highly obfuscated--and notably "well" obfuscated
| --Apple code) required a pretty obtuse workaround from AltStore
| on macOS where it injects into Mail.app as a plug-in... I am
| shocked Apple hasn't figured out some way to restrict this yet
| (it could be that it didn't occur to them there is still work
| to be done upping the ante here?).
| pydry wrote:
| If they do they're waving a big red flag that says "ANTITRUST
| VIOLATOR".
|
| So, it _will_ be interesting to see if they do.
| gregoriol wrote:
| This will have limitations on notifications and features like
| icloud sync I guess?
|
| And while not very likely as it will be hard to differentiate a
| real developer from this, Apple could still revoke Apple IDs or
| developer accounts whenever they want.
|
| edit: also no way to have updates suggestion? (an app can be
| updated, but the AltStore app can't know which app is installed
| or which version?)
| [deleted]
| core-questions wrote:
| The only downside here is that you have to have a Mac (or some
| hackintosh, I guess) to do this. Anyone have any idea on the
| state of the art for running an OSX virtual machine?
| saurik wrote:
| AltStore also supports Windows AFAIK. https://altstore.io/
| kevincox wrote:
| If it works on windows why does it need the server at all? If
| it is just making requests to Apple can't you do the signing
| on the phone? (Other than the bootstrap procedure)
| saurik wrote:
| You can do the signing on the phone (though there is some
| nuance here as logging in to the account is hard and the
| techniques used by AltStore involve injection into other
| Apple software; this is at least theoretically fixable, but
| does mean that it wouldn't be trivial), but you can't do
| the installation from another app on the phone in any
| obvious way (at least without restricted entitlements).
| AltStore is acting like Xcode doing over-the-network
| installs from AltServer (and then also happens to do the
| signing there, but that's again simply to make it easier to
| develop it).
|
| AltStore is based on the signing code I developed and also
| used in my Cydia Impactor (which lets you install apps over
| USB); I actually did develop another tool called Cydia
| Extender, which would run on your phone, but I dropped the
| effort when I couldn't get stuff to install on the phone
| (the technique I came up with relied on an entitlement that
| was only able to be installed by users with developer
| accounts; I even somehow failed to notice this until after
| I released it, which was awkward: I still can't believe I
| messed up my testing that badly). (Actually... maybe I have
| a way to pull this off now? It is a long shot, and somewhat
| risky ;P.)
| mikeknoop wrote:
| Could you use a VPN on the device to make a remote server
| appear as a local server for network installs? If so,
| could you loop back an on device "server" through a
| remote proxy?
| saurik wrote:
| So, this is actually how Cydia Extender "worked" (aka,
| "failed" ;P)--though I wasn't using the Xcode protocol
| but instead did an ad hoc install (which turned out to
| also separately not work for non-developer signed IPA
| files, TWO issues I had failed to notice before release
| ;P)--but Apple restricts usage of the Network Extension
| (VPN) API using an entitlement only available to paid
| developers (which I will strongly assert is to help the
| CCP's censorship of Chinese citizens as part of Apple's
| continual unfortunate collaboration). (I now happen to
| work on semi-programmable VPN tech that is in the App
| Store, so I might have options; a bit risky, though ;P.)
| vvll wrote:
| AltDaemon [1] runs on the phone and does this - it does
| require a jailbreak however.
|
| [1] https://repo.dynastic.co/package/altdaemon
| djxfade wrote:
| No, AltStore has a server for Windows as well
| phoe-krk wrote:
| https://github.com/myspaghetti/macos-virtualbox
|
| Pretty bulletproof and automated.
| Shank wrote:
| This script seems to include the magic encryption string[0].
| I'm surprised that it hasn't been DMCA'd yet.
|
| [0]: https://github.com/myspaghetti/macos-
| virtualbox/blob/master/...
| phoe-krk wrote:
| The magic "ourhardworkbythesewordsguardedpleasedontsteal(c)
| AppleComputerInc" haiku-string is already kind of a meme by
| now.
|
| See https://news.ycombinator.com/item?id=9589961
___________________________________________________________________
(page generated 2020-11-08 23:00 UTC)