Is Apple going to stop people from abusing MusicKit developer token taken from music.apple.com

Many developers know that you can easily get a MusicKit developer token from music.apple.com. Just go to the console of the browser and input "MusicKit.getInstance().developerToken".

As of now, the token is

eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IldlYlBsYXlLaWQifQ.eyJpc3MiOiJBTVBXZWJQbGF5IiwiaWF0IjoxNjQ2NDM1NTgxLCJleHAiOjE2NjE5ODc1ODF9.Ob5bfZBWLDlDkR4r5fNXIjp1Y1G0qY5mP9MVBm1mDFjG701_6AcZS6nwjk-CMJE2b8VLv1JWxKR5j5BDkKxQ7w

This token is not like the one we developers generate ourselves that has many limitations. Instead, it is a privileged one that has some powerful features and is able to invoke some "private" API as follows:

  1. Deleting users' resources (for example, DELETE method on https://amp-api.music.apple.com/v1/me/library/songs/{id})
  2. Getting and showing lyrics
  3. Rename playlist, reordering songs in a playlist
  4. Many other features that music.apple.com could do but your apps couldn't

I think it's fine to use it privately and do not be evil, but Apple failed to stop people from abusing it.

I already spotted one app selling on Microsoft Apps Store(https://apps.microsoft.com/store/detail/cider-alpha/9P21XJ9D9G66) that is taking advantage of this "privileged" token.

Proofs are as follows:

fetch the privileged developer token
https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L3665

removeFromLibrary
https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L2254

load official AM lyrics
https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L2237

They get the token for free, take the source code from music.apple.com with some modification, put it into an electron app. Then sell it and beat other competitor apps because it's more "powerful".

And this makes me a developer obeying the rules like a stupid fool because

  1. I pay $99 for ADP to get the developer token, while they get it for free
  2. I got a token that has limited features, while theirs are far more powerful

I already submitted it to Apple but got no response. Apple should really start to do something, otherwise It's like telling every developer that:

Stop paying $99 for ADP to get your developer token, just grab it from music.apple.com. It's free yet super powerful to call private APIs and bypass limitations.

Up vote post of okc Down vote post of okc
3.4k views
Posted by
okc
Reply

  • @eskimo see above.

    MobileTen

  • Wow, this is interesting. Really want to know how Apple deals with this

    snuff4

  • I appreciate Apple has made some improvement to fix this issue but there is still a workaround left behind. For more info please see my newest answer or visit this link.

    okc
Add a Comment

Apple Recommended

Thank you for sharing your feedback and concerns.

The only supported way of accessing the Apple Music API is by using the method described in Getting Keys and Creating Tokens. Any other method may be blocked at any time. To ensure continued access to Apple Music from your app or website, use only the documented method to obtain a developer token.

We are also always looking to enhance the Apple Music API available to our developers, and your continued feedback—including the feedback in this post—helps drive that. Please continue to file any additional feedback about important missing functionality via Feedback Assistant.

Posted by
Media Engineer
Post not yet marked as solved Up vote reply of Media Engineer Down vote reply of Media Engineer
Post marked as Apple Recommended

  • I appreciate you are standing with us, but maybe there's more you could do now, not an uncertain "may be blocked at any time".

    I have a MusicKit related app on the Microsoft app store. As a victim of this unfair competition, I would like Apple could help contact Microsoft to remove that app (apps.microsoft.com/store/detail/cider-alpha/9P21XJ9D9G66) from the Microsoft app store.

    okc
Add a Comment

Replies

i fully agree with this, how on earth did apple even allow this FREE api token to become this powerful?

Posted by
smallville7123
Post marked as downvoted Up vote reply of smallville7123 Down vote reply of smallville7123

  • Well, it's powerful because it's being used in the official product(music.apple.com). And you could use it for free(but not legally I guessed :D)because it doesn't have any protection to fetch it nor verification when using it.

    okc
Add a Comment

Well isn't this interesting! With absolutely no disrespect meant to the MusicKit team, who are no doubt limited by time, resources, and internal corporate priorities us outsiders have no idea about, It is frustrating to play around with this token and see so many of the features I would love to include in my app, such as:

  1. Deleting library items
  2. Time-synced lyrics
  3. Artist images
  4. Available audio qualities

The MusicKit API and web API have already come a long way towards leveling the playing field for third party Apple Music apps, but there are still lots of gaps, which can make our apps feel like second-class citizens. Maybe there are licensing issues preventing features like lyrics, but it is impossible for developers to know the surrounding context, and we are just stuck filing feedbacks and awaiting WWDC each year.

If the permissions included in this token were officially supported, my app would be better for it. Here's hoping!

Posted by
talkingsmall
Up vote reply of talkingsmall Down vote reply of talkingsmall
Add a Comment

Thank you for sharing your feedback and concerns.

The only supported way of accessing the Apple Music API is by using the method described in Getting Keys and Creating Tokens. Any other method may be blocked at any time. To ensure continued access to Apple Music from your app or website, use only the documented method to obtain a developer token.

We are also always looking to enhance the Apple Music API available to our developers, and your continued feedback—including the feedback in this post—helps drive that. Please continue to file any additional feedback about important missing functionality via Feedback Assistant.

Posted by
Media Engineer
Post not yet marked as solved Up vote reply of Media Engineer Down vote reply of Media Engineer
Post marked as Apple Recommended

  • I appreciate you are standing with us, but maybe there's more you could do now, not an uncertain "may be blocked at any time".

    I have a MusicKit related app on the Microsoft app store. As a victim of this unfair competition, I would like Apple could help contact Microsoft to remove that app (apps.microsoft.com/store/detail/cider-alpha/9P21XJ9D9G66) from the Microsoft app store.

    okc
Add a Comment

The privileged token could also be used to wipe a user's music library maliciously

Users sign in to their Apple Music account on any apps or websites without worrying security issues because

  1. Only Apple official apps and website could delete user's content
  2. Users could review the info and then grant permission before they sign in 3rd party apps

But that github project has bypassed all the protections mentioned forehead by using the privileged token, and users could hardly notice it. Therefore anyone using their app has a potential risk to lose all his/her content in the library. And if it does happen, Apple will be blamed for not patching this vulnerability and not stopping people abusing it.

I think a warning letter should be sent to that github project. Right now they are promoting their app and receiving sponsorships.

Posted by
okc
Post not yet marked as solved Up vote reply of okc Down vote reply of okc

  • Once Apple fixes the API then the CIDER GitHub project will be have no other choice than to comply with the rules.

    MobileTen

  • @MobileTen Thanks for pointing out. But they still have a workaround, please see below.

    okc
Add a Comment

I noticed Apple has added verification to the token that music.apple.com is using, i.e added root_https_origin to the token payload. For anyone interested, please visit the link below:

https://jwt.io/#debugger-io?token=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IldlYlBsYXlLaWQifQ.eyJpc3MiOiJBTVBXZWJQbGF5IiwiaWF0IjoxNjQ4NzAyODQ1LCJleHAiOjE2NjQyNTQ4NDUsInJvb3RfaHR0cHNfb3JpZ2luIjpbImFwcGxlLmNvbSJdfQ.YKJYticxSydqqyApFTAJjYURls4Oqb5b0VjbCxqJsYIPU4CtI1tCsk9697VOmwQdhIIsTpYprRcoA1qj_72RHw

But the Cider app still managed to find a work around to bypass the verification. The proof is as follows:

curl --location --request GET 'https://api.cider.sh/v1/' \
--header 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Cider/1.1.573 Chrome/96.0.4664.110 Electron/16.0.8 Safari/537.36' \
--header 'Host: api.cider.sh'

The token returned could still be used to call the "https://amp-api.music.apple.com" endpoint.

I appreciate Apple listen to our voices and respond quickly. But please do one more step to enforce the API endpoint so that token without root_https_origin in the payload cannot be used. Or perhaps there might be better ways to eliminate this workaround.

Posted by
okc
Up vote reply of okc Down vote reply of okc
Add a Comment

Not very related to this topic, but some interesting messages found in Cider's Discord: https://discord.com/channels/843954443845238864/843954444747669507/959233928512806942 https://discord.com/channels/843954443845238864/868603096010485812/959231743800512532

Posted by
lannik
Up vote reply of lannik Down vote reply of lannik
Add a Comment