SideStore Team
What data is being sent to the Anisette server? #1072
-
|
In the Q&A on sidestores website, they say it's non identifiable, but I can't find any information on what data is actually sent. The only answer I could seem to find was that it is for authentication. Thank you! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Hello! If you go to any of the servers you’ll find JSON data returned to you. (e.g. SideStore’s main server). This data is what is called “anisette” data, and it is required HTTP headers when communicating with Apple. This data’s whole purpose is to prove that your requests are coming from “legitimate” Apple software since it’s derived from an algorithm only Apple has the source code for. Our community discovered a library meant for Android that contains this required algorithm for generating anisette data. Think of anisette data as if it were a fake “Apple device” that can authenticate with and make requests to Apple’s servers. With that being said, SideStore NEVER sends your email or password to our anisette servers, so if a server were to be malicious they would need both your “anisette device” and your email and password to access your account. If you ever fear this is the case please IMMEDIATELY remove the fake anisette device from your account’s trusted device list and please report to us maintainers which server you suspect of being malicious. If you want to host your own you can find software for it here and our official server list here if you wanted your server to be used as an “official” one. Hopefully that clears some stuff up, but if you have any more questions, you can ask them here or in the Discord! |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the detailed answer! It definitely helped clear some of the confusion. So If I understand correctly, a malicious Anisette server would need my Apple Id password and email to do any real damage? But currently they only get access to my Anisette device? The Data being sent to the Anisette server is only used to make apples server accecpt my ipa resign, and that it does from a fake mac (like how xcode can sign an ipa for a week)? |
Beta Was this translation helpful? Give feedback.
-
|
Somewhat correct, the only data sent to anisette servers is just to generate data for your fake device. With anisette data SideStore then sends that with your email/password directly from your iOS device to Apple's servers only for authentication. Once we're authenticated we then use anisette data with your Xcode token to generate and download new profiles and a certificate. Once the signing materials are downloaded, the codesigning occurs fully on your own device, and so does installation of the signed .ipa |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! I appreciate the help. |
Beta Was this translation helpful? Give feedback.
Hello! If you go to any of the servers you’ll find JSON data returned to you. (e.g. SideStore’s main server).
This data is what is called “anisette” data, and it is required HTTP headers when communicating with Apple. This data’s whole purpose is to prove that your requests are coming from “legitimate” Apple software since it’s derived from an algorithm only Apple has the source code for. Our community discovered a library meant for Android that contains this required algorithm for generating anisette data.
Think of anisette data as if it were a fake “Apple device” that can authenticate with and make requests to Apple’s servers. With that being said, SideStore NEVER sends your email or pa…