Software Engineer in Training

PREFACE

At Apple's Worldwide Developer Conference (WWDC) in 2018, they introduced a new interface for interacting to their Apple Music catalogue, MusicKit JS (JavaScript). It allows developers to create JavaScript front-end applications, including web players, that links to Apple Music.

ACQUISITION

Getting a developer token requires you to have an Apple developer account, which costs $99 USD per year.

The full process can be seen here, but the gist involves a generated private key (through Apple's developer portal) paired with your team ID (assigned by Apple to your account) to generate a developer token. Lee Martin created a Medium post on how to generate the token, which can be seen here.

USAGE

The developer token that was generated previously is used in the authorization process, which involves displaying which application the user is linking their account to. Connecting to the popular web player, www.playapplemusic.com, displays this verification in the account authorization process.

Apple Music authorization request

EXTRACTION

The developer token doesn't require much effort at all to extract from the supplied MusicKit JS API, involving only one line to be executed in the console of any web page that is utilizing the API.

MusicKit.getInstance().storekit.developerToken
Developer Token of www.playapplemusic.com

IMPLICATIONS

You could be wondering, why does it matter that someone can extract my developer token?

When I was starting development of an application that made use of MusicKit JS, I did not have a developer account, which is the initial reason I looked into a method of acquiring a token to start development without needing to purchase the account. A few days later, I purchased a developer account, but realized a few weeks later that I was still using someone else's developer token without any issues. I quickly generated my own, but with some worry:

Could someone else extract my developer token as easily? What can they do with my token? What if they cause my developer account to get restricted/locked/banned?

My biggest worry was that during the authentication process, it displays which application you are linking your Apple Music account to. Could someone else use my token to pretend to be my application, and trick a user into executing a task with malicious intent? For example, creating an account for this 'service' or typing in their password outside of the API to access 'specific features'.

Apple does not have the option to restrict the use of a token to a specific domain or application, so once the web page or application developer token is public it is essentially in free use. They also do not specify (to my knowledge) the scope of the developer token, and/or if a developer could be locked because of unintended uses with that token.

CONCLUSION

There is no real way to hide your developer token. You can attempt to hide the developer token behind a hosted server and fetched on demand, but once authenticated on the client-side it is (incredibly) easily extracted from the console.

Apple really needs to implement domain or application restrictions to their MusicKit JS API, as their current method of authentication has some glaring malicious implications.

This, or they need to clarify that a developer would not be held responsible for the actions committed with that token, and until that point I personally will be steering away from publicly releasing any web application that makes use of MusicKit JS.