
AltStore: Alternative iOS app store that doesn't require a jailbreak - itsfirat
https://www.engadget.com/2019/09/26/altstore-alternative-ios-app-store/
======
josephpmay
All the other comments are focusing on the Apple angle, but I want to comment
on how amazing the developer, Riley, is.

I've seen him working on this project (Delta and the AltStore) for four or
five years. It's a project he's passionate about, and he's building it for
himself, not to try and make money. (In fact, he's turned down offers from
startups and top tech companies to work on this). More than almost anyone else
I know, Riley embodies the classical hacker ethos. I believe partway through
the project he decided to make this open source, so he then went back and re-
factored a lot of the code to make it easier to learn from.

Here's the repository, btw:
[https://github.com/rileytestut/AltStore](https://github.com/rileytestut/AltStore)

~~~
codesternews
That is good. But I have question when he started on Altstore Is he working on
Altstore for 4-5 years? I do not think it was possible 4-5years before.

I think apple release free signing without Apple Developer Account in July
2016.

~~~
grenoire
Must have misunderstood, he had the initial commit for AltStore this May. It's
Delta he's talking about.

------
duskwuff
From the author's blog post on how AltStore works [1]:

> For this distribution method, AltStore requires your Apple ID and password
> to communicate on your behalf with Apple’s developer servers.

This seems really sketchy, and I would not be surprised if Apple took steps to
prevent this, and possibly even to disable Apple IDs associated with this
activity.

> The last major restriction is that an iOS device may only ever have at most
> 3 apps installed using this method, even if they come from different Apple
> IDs. This was by far the most frustrating one to deal with, but thankfully I
> was able to find a workaround in time.

The workaround (swapping around provisioning profiles) sounds like it's
abusing a bug which Apple could fix pretty easily.

[1]: [http://rileytestut.com/blog/2019/09/25/introducing-
altstore/](http://rileytestut.com/blog/2019/09/25/introducing-altstore/)

~~~
vunie
Apple is already facing antitrust actions regarding its walled garden. I doubt
apple would be eager to give authorities more ammunition.

Alternative app stores will likely come to ios in one form or another. I think
the smarter reaction would be for apple to offer an official API so that it
can remain somewhat in control.

------
gruez
> Testut told The Verge that measures to block AltStore would break key
> functionality for developers or iTunes syncing.

No, it won't. Keep in mind that we didn't have the 7 day side-load for free
apple ids prior to 2015[1]. All apple has to do is disable sideloading for
free accounts. I imagine it won't impact many legitimate developers, who
probably have paid developer accounts anyways.

[1] [https://9to5mac.com/2015/06/10/xcode-7-allows-anyone-to-
down...](https://9to5mac.com/2015/06/10/xcode-7-allows-anyone-to-download-
build-and-sideload-ios-apps-for-free/)

~~~
josephpmay
It wouldn't break functionality for developers releasing apps in the app
store, but it would break functionality for kid/teen developers and coding
classes and people teaching themselves to code, which Apple cares a lot more
about than people putting a Gameboy emulator on their phones

~~~
borland
I wouldn't be AT ALL surprised if Apple decides to break the kid/teen
developers over this. People like the AltStore developer are why we can't have
nice things.

~~~
deft
AltStore is a nice thing, and blocking it would be apple removing nice things.
Why are you shifting the blame to a developer?

------
pcr910303
For people who wants to go directly without visiting the article...

This is the AltStore's main link: [https://altstore.io](https://altstore.io)

This is the author's launch blogpost:
[http://rileytestut.com/blog/2019/09/25/introducing-
altstore/](http://rileytestut.com/blog/2019/09/25/introducing-altstore/)

And this is the Github repo:
[https://github.com/rileytestut/AltStore](https://github.com/rileytestut/AltStore)

------
zapzupnz
> Testut told The Verge that measures to block AltStore would break key
> functionality for developers or iTunes syncing.

Well, there's an underestimation of Apple if ever I saw it.

~~~
tkjef
it's chess. apple's move. interesting to watch. hats off to the dev for
playing the game. rooting for ya!

------
noodlesUK
Isn’t apple just gonna blacklist this somehow? I get that you’re signing the
app, but it’s definitely against the TOS in some obscure way. It’s not as
though they won’t know which Apple IDs are logged in to the phones this gets
installed on, regardless of signing certs.

Edit: I do really like this though, it is a clever way out of the walled
garden! I’ve used TestFlight to load stuff like ish on my phone, and would
consider doing this if apple doesn’t go around murdering apple ids associated
with it.

~~~
greggman2
If Apple is tracking IDs how is that not anti-privacy?

In fact arguably they should implement signed reciepts so they don't have to
track which apps you own. As it is they know all the apps you own, and
probably even when and how often you run them.

Instead they could send you a cryptographically signed receipt and then not
actually keep track of which apps you own. When you want an update they verify
the receipt. That would be more privacy oriented than what they have now.

~~~
willstrafach
They do this.

[https://developer.apple.com/library/archive/releasenotes/Gen...](https://developer.apple.com/library/archive/releasenotes/General/ValidateAppStoreReceipt/Introduction.html)

------
notduncansmith
I remember chatting with people in the Bay Area about this idea a few years
ago. I decided not to pursue it because I don’t favor adversarial business
models, but I’m very curious to see if this person can pull it off.

Their best chance of survival, IMO, is building a developer collaboration
platform that Apple finds worthy of purchase and maybe will integrate into
XCode - something along the lines of Github but exclusive to the Apple
platform with lots of integrations they can rely on for workflows and such. I
think I’ve read that Apple isn’t big on services, but if this were developed
in a peer-to-peer sort of way, piggybacking on iCloud as much as possible,
maybe they’d want it.

------
Gorbzel
Apple can and should block this by fixing the bug allowing rotating
provisioning profiles to bypass the three app limit.

Nor do I expect they would or should try to "let this slide" due to the fear
of antitrust investigation. Hacker News loves to deploy the walled ecosystem
FUD, but given the iOS security model has proven itself technically absent any
consideration of trustbusting, I expect them to stand on their convictions and
fight the antitrust battle head on, not death by a 1000 pinpricks.

Encourage folks to learn more technically and use the developer tooling as is,
then you can sideload whatever you want!!! Beyond that, it's not that hard:
Don't abuse developer-facing tooling & workflows to allow consumers to do
stupid things.

------
summerlight
It would be interesting to see if Apple tries any kinds of explicit legal
actions to shut it down. But this won't be seen much pretty to DoJ which seeks
more evidence for an ongoing antitrust investigation. I expect them to
silently implement a developer policy to fix "a security hole" without much
explanations. This has always been Apple's way to tighten its control on their
ecosystem and drive out any potential competitors.

------
morpheuskafka
So this is basically an automated version of Cydia Impactor, with a few key
new features: using WiFi Sync instead of USB connection to upload the apps,
which enables automatic resigning without user input, and the ability to use a
single provisioning profile for multiple apps, which bypasses the low app
limit for free developer accounts.

Seems like a very nice job and will likely make Impactor and signing services
like Tuta or AppValley obsolete.

------
nickm12
I'm all for mountain climbers climbing mountains, hackers hacking systems, and
people otherwise doing it "because it's there". But when I read the
developer's blog post, it sounds like he thinks this thing is going to stay
around past the next iOS release.I hope he had fun and learned a lot of good
skills doing this, but it's not something users should expect to be around.

------
writepub
Request to Apple: Just let this slide and see how it plays out.

Remember when you took out SuperBowl ads [1] demonizing authoritarian,
totalitarian megacorps that told you how to think and what to do - YOU are
that company in 2019.

Maybe if you let this alt store be, and monitor it's metrics you'll see that
your users really want cheaper, more-full featured apps that you'd _never_
allow on the app store - like a competing browser engine (Chromium), or JIT
enabled javascript core [2], ...

It may also happen that this alt-store becomes a piracy and malware haven - in
which case, your thesis of totalitarian moderation might win. I'd bet my money
on the former - a thriving alt-store filled with apps Apple is too cowardly to
approve on it's main store - like Steam Game Streaming, Chromium Browser, JIT
enabled js/node, ...

[1]: [https://youtu.be/zIE-5hg7FoA](https://youtu.be/zIE-5hg7FoA)

[2]: [http://www.janeasystems.com/blog/node-js-meets-
ios/](http://www.janeasystems.com/blog/node-js-meets-ios/)

------
drenvuk
I thought this was abuse as labeled by Apple. What happens in this case is
that the apps in the store typically need to be re-downloaded because the cert
was revoked or something.

Please someone correct me if I'm wrong because I really want this kind of
thing to work.

~~~
Wowfunhappy
You're thinking of misused enterprise certs. This is a bit difference. If
user's are self-signing, every install has a different certificate. So Apple
can't just revoke one certificate and break everything.

The big catch is, users need to resign every seven days...

------
Wowfunhappy
Free Apple ID's have a three app limit. How is this store working around that?

~~~
OkGoDoIt
From the author’s blog post, which goes into more technical details:

“While there’s nothing I could do about this from the iOS device itself, as it
turns out the same underlying iTunes (WiFi) sync infrastructure I’m using
allows you to also install and remove provisioning profiles from devices
(since Xcode also requires this ability to manage profiles for developers).
Before installing an app, I remove all the existing profiles on the device to
make it look to the system like there are no other apps installed, and then
once the app is installed I reinstall all the profiles. It’s very simple, but
it works.”

[http://rileytestut.com/blog/2019/09/25/introducing-
altstore/](http://rileytestut.com/blog/2019/09/25/introducing-altstore/)

~~~
Wowfunhappy
Thanks for the link! That sounds like something Apple will likely fix in short
order... :\

------
anais9
Looks like they've already hidden/dropped this from the App Store... That was
fast!

~~~
jakemauer
It was never on the App Store, you have to run the AltStore server on a Mac or
Windows machine with the phone physically plugged in to load the AltStore app
on to the phone. From there you can install apps as long as you’re on the same
WiFi network as the computer running the server.

I’ve been able to install the AltStore app to my phone but nothing else, it
can’t find the server even though we’re on the same network.

------
scumbert
iTunes WiFi sync is going to be deprecated, because iTunes is being
deprecated.

~~~
morpheuskafka
The sync management functions were moved to Finder, they are not going away.

~~~
bronco21016
This is something I’ve been wondering about. Where are they moving to in
Windows? Will I need a hackintosh VM for my WiFi based backups?

------
greatjack613
Let apple try to block this. The anti-trust eagles will swoop in!!!

~~~
jrockway
I think if moderation of the apps you can install on iOS was going to become a
legal issue, we would have already been there. The reality is, if Apple wrongs
you, you can walk into Best Buy or whatever and buy and Android phone.

The smartphone ecosystem is very healthy, there are plenty of opportunities
for everyone to get exactly what they want.

~~~
greggman2
If you buy an Android you can no longer commuicate with all your friends using
iMessages. SO no, not quite "plenty of opportunities for everyone to get
__exactly __what they want. "

~~~
filleduchaos
That, interestingly enough, is not really a matter of concern for the courts.

