Apple puts entire App Store on the web – accidentally leaks code

For years, it has been possible to retrieve information about content from Apple's various App Store variants via the web. However, this always required the appropriate URL. Now, the company has moved its software store for iPhone, iPad, Mac, Vision (Pro), Apple Watch, and Apple TV completely into the browser for the first time, including search functionality, editorial content, and more. However, there was a leak during the setup: the front-end source code escaped and landed on GitHub meanwhile. Apple has since had it removed via a DMCA takedown request.

Almost the entire App Store in the browser

With Apple's new web interface, almost everything you can do in the respective app on iPhone, iPad, Mac & Co. can now be done in the App Store—except for actual purchases, including login and account overview. So it's a permanent guest mode. Whether Apple will change anything about this remains unclear—for example, it would be conceivable to “pre-purchase” an app on the web and then download it on the actual device. For instance, there has been a web version of Apple Music for a long time, which at least allows streaming of one's own library and other tracks after logging in.

For the Vision Pro, Apple had already created the option to access applications on the headset remotely via an own iPhone app. Interesting in relation to the spatial computing device: Apple refers to it as “Vision” without “Pro” in the App Store. According to rumors, Apple has at least temporarily been working on a simpler variant of its headset, to which the designation would fit.

Sourcemaps function active

The code that escaped to GitHub, which user rxliuli found and then published, was visible because Apple had accidentally left the Sourcemaps function active. This allowed the user to extract and download all sources accessible on Apple's servers using a Chrome extension. This then became a GitHub repository “for educational purposes,” as the person stated according to a report by 9to5Mac there, before GitHub took down the collection, presumably initiated by Apple itself.

The available components included the API integration code, parts of the UI, the state management logic, and the complete source code in Svelte or TypeScript, respectively. The routing configuration was also visible. It is surprising that Apple forgot to deactivate the sourcemaps function; this is usually one of the last steps before a new service goes live. Whether security issues for the App Store could arise from the leak remains open.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.

Preisvergleiche immer laden Preisvergleich jetzt laden

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

(bsc)