Apple Store code leak and Reddit amateurs

The Apple App Store’s source code was leaked a couple of days ago. However, some people don’t ever consider this a leak, as it was frontend code that leaked, and brushed it off as not a big deal.

Today, I will tell you why exactly I think - and I’m sure of it - it’s a big deal.

On the 3rd of November, a Reddit user rxliuli shared the following post on the /r/webdev subreddit:

“App Store web has exposed all its source code. The app store appears to be rebuilt using Svelte, but they forgot to remove the sourcemap configuration in production, resulting in the complete exposure of the source code.”

The user downloaded the code and uploaded it in their own Github repository.

The reception wasn’t so great. He got bashed, mocked, just for sharing a cool thing he’s found. Keep in mind that the following comments were at the top, furiously upvoted.

I’ve had this argument so many times with inexperienced frontend developers. This is not "exposing" their source code.It is. It's literally the code that gets transpiled later. Hence, source code. This is ridiculous While yes, it may not be minified and it’s slightly more human readable, it’s not exposing any additional logic. Remember, obfuscation is not security.

Frontend code. Not really that big of a deal and not all of it’s[sic] source code.

bro thinks they found a goldmine here yep, the author sounds like the type of developer that encodes api keys in base64 in his android / ios app and thinks that he is safe

maybe its not on accidentforeshadowing …? This is honestly not a big deal. Its not even a little deal.

If I’m not mistaken, the way modern browser works is that a host sends all (frontend) code to user, and all that code runs in client sider browser. So you will be able to see all the code regardless. This is why never store credentials on frontend code, because its meant to be readable by others.This reeks of "I just learned all of this and want to tell the world, but I don't really understand what the discussion is about". No experienced developer would ever think this is worth to mention.

I could gather more of these, but you get the idea. This alone, once again shows, that Reddit is full of amateurs. Amateurs that either don’t realize what sourcemaps do, or don’t realize how aggressive of obfuscation the companies such as Apple employ, or whatever - and are smug about it.

Let’s explain what really got leaked.

What the sourcemap let us see was of course, the entire source code, but there’s more to it. We could take a look at their entire file structure (where every folder was placed and named), their internal libraries they use, the developer comments (the code was very extensively documented, everything explained very nicely), and probably more I can’t think of right now.

This literally lets you peek into the developers’ minds and see how they organise their code, what exact algorithms they use, how they communicate - none of this would be possible without the sourcemap. Unminifying the code wouldn’t let you see even 1% of this.

This is exactly why I concluded that Redditors don’t really know what sourcemaps are.

Let’s get back to this comment:

If I’m not mistaken, the way modern browser works is that a host sends all (frontend) code to user, and all that code runs in client sider browser. So you will be able to see all the code regardless

This is true. However, code that executes does not have and usually isn’t readable. What the browser executes it obfuscated, minified mess that no human can read. Reverse engineering doesn’t do it justice, as explained above.

And you know what? Apple seems to think the same way I do.

They removed the sourcemap, then they filed a DMCA takedown request.

The repository was taken down, and every fork of it as well.

However, people still didn’t get this.

The credit should go to OP, not for a valuable reminder about security, but to remind to not distribute code (or any other IP) that you don’t have rights to.

Okay? What does a DMCA change? Them shipping the sourcemaps is not a big deal. That doesn’t mean you can just take it and make forks without an appropriate licence.

I’m not sure what a DMCA takedown has to do with the rest of the conversation. Are you making the argument that they took down these repos because they exposed secrets or something sensitive?Can you read? I don’t think this indicates that at all.

Conclusion?

Is there any to be had? I don’t know. Don’t trust Reddit with anything. These people are here to learn, but are also very eager to teach and bash others. I will probably add more to this article as more stuff comes to mind.

Postscript

I don’t want to try to awkwardly fit this into the rest of the article so I’ll leave this here:

The reactions about this on HackerNews were vastly different. Nobody assumed they are all-knowing, people asked “is this really important?” instead of outright claiming “this is not important” with pride. While HackerNews has its issues, it looks like Reddit just houses more idiots.