@NFTCPS: 苹果那套 App Store 审核终于能绕过去了? 这工具直接把 iOS 应用装进设备,不用过商店,不用等审核。 会折腾的自己看: https://github.com/Lakr233/AssppWeb…

X AI KOLs Timeline 工具

摘要

介绍了一个名为AssppWeb的Web工具,允许用户绕过App Store直接将iOS应用安装到设备上,采用零信任架构,用户凭据仅在浏览器中处理。

苹果那套 App Store 审核终于能绕过去了? 这工具直接把 iOS 应用装进设备,不用过商店,不用等审核。 会折腾的自己看: 🔗 https://t.co/A5VvzrMPGF https://t.co/05d9wuI6Zz
查看原文
查看缓存全文

缓存时间: 2026/06/26 22:16

苹果那套 App Store 审核终于能绕过去了?

这工具直接把 iOS 应用装进设备,不用过商店,不用等审核。

会折腾的自己看:

🔗 https://t.co/A5VvzrMPGF https://t.co/05d9wuI6Zz


Lakr233/AssppWeb

Source: https://github.com/Lakr233/AssppWeb

AssppWeb

A web-based tool for acquiring and installing iOS apps outside the App Store. Authenticate with your Apple ID, search for apps, acquire licenses, and install IPAs directly to your device.

preview

Zero-Trust Architecture

AssppWeb uses a zero-trust design where the server never sees your Apple credentials. All Apple API communication happens directly in your browser via WebAssembly (libcurl.js with Mbed TLS 1.3). The server only acts as a blind TCP relay (Wisp protocol) and handles IPA compilation from public CDN downloads.

⚠️ Important Security Notice: There are no official Asspp Web instances. Use any public instance at your own risk. While the backend cannot read your encrypted traffic, a malicious host could serve a modified frontend to capture your credentials before encryption. Therefore, do not blindly trust public instances. We strongly recommend self-hosting your own instance or using one provided by a trusted partner. Always verify the SSL certificate and ensure you are connecting to a secure, authentic endpoint.

恳请所有转发项目的博主对自己的受众进行网络安全技术科普。要有哪个不拎清的大头儿子搞出事情来都够我们喝一壶的。

Quick Start

Deploy to Cloudflare

Deploy to Cloudflare

This uses Cloudflare Workers + Containers with the published image ghcr.io/lakr233/assppweb:latest.

Requirements:

  • Cloudflare Workers Paid plan (Containers are not available on Free).
  • Deploy/build token with:
    • Workers Scripts Edit
    • Containers Edit
    • Cloudchamber Edit

If your build log fails at Deploy a container application with Unauthorized, your build token is missing required Containers/Cloudchamber permissions.

Deploy to Railway

Click to show Railway deployment instructions
  1. Go to railway.com/new/image → enter ghcr.io/lakr233/assppweb:latest
  2. In service Settings, set Healthcheck Path to /api/settings and deploy
  3. Right-click the service → Attach volume → mount path: /data
  4. In Variables, set DATA_DIR = /data and deploy
  5. In SettingsNetworking, generate a public domain or add a custom domain

Notes

  • The free trial works but has limitations (volume expiry, network restrictions). Hobby plan ($5/month) or above is recommended for reliable use.
  • Enable Serverless in service settings to scale down to zero during idle periods
  • Railway auto-updates :latest images from GHCR — new releases will be deployed automatically within a few hours

⚠️ Custom domain with Cloudflare: Railway’s Cloudflare integration creates DNS records with Proxy enabled (orange cloud) by default. After authorizing, go to Cloudflare DNS settings and switch the CNAME record to DNS only (gray cloud) — Railway handles TLS automatically. If you keep Cloudflare Proxy on, you must set SSL/TLS mode to Full (not Flexible or Full Strict), otherwise you’ll get an infinite redirect loop. See Railway docs.

Self-Host with Docker Compose

Click to show manual Docker Compose setup instructions

Setup Docker Compose

curl -O https://raw.githubusercontent.com/Lakr233/AssppWeb/main/compose.yml
docker compose up -d

Environment Variables

VariableDefaultDescription
PORT8080Server listen port
DATA_DIR./dataDirectory for storing compiled IPAs
PUBLIC_BASE_URL(auto-detect)Public URL for generating install manifests (e.g. https://asspp.example.com)
UNSAFE_DANGEROUSLY_DISABLE_HTTPS_REDIRECTfalseDisable HTTPS redirect (see warning below)
AUTO_CLEANUP_DAYS0Automatically delete cached IPA files older than specified days (0 to disable)
AUTO_CLEANUP_MAX_MB0Automatically delete oldest cached IPA files when size exceeds this MB limit (0 to disable)
MAX_DOWNLOAD_MB0Reject downloads exceeding this size in MB to prevent out-of-memory errors (0 to disable)
DOWNLOAD_THREADS8Number of parallel threads for IPA downloads (1–32)
ACCESS_PASSWORD(none)Require a password to access the web UI and API (empty to disable)

Reverse Proxy (Required for Install Apps on iOS)

iOS requires HTTPS for itms-services:// install links. You must put AssppWeb behind a reverse proxy with a valid TLS certificate.

⚠️ Redirect loop (ERR_TOO_MANY_REDIRECTS)? Some reverse proxies (e.g. NAS built-in proxies) always send X-Forwarded-Proto: http even when the client connected via HTTPS, causing an infinite redirect loop. If you cannot configure your proxy to send the correct header, set UNSAFE_DANGEROUSLY_DISABLE_HTTPS_REDIRECT=true as a last resort. This disables the HTTP→HTTPS redirect — you must ensure your proxy enforces HTTPS externally.

The following is an example Caddyfile configuration:

asspp.example.com { reverse_proxy 127.0.0.1:8080 }

⚠️ Make Sure WebSocket Works

AssppWeb relies on the Wisp protocol over WebSocket (/wisp/) for its zero-trust architecture. Ensure your reverse proxy or CDN (e.g., Nginx, Cloudflare) is configured to allow WebSocket connections, otherwise the app will fail to communicate with Apple servers.

Security Recommendations

DDoS Protection

IPA files can be hundreds of megabytes. If your instance is publicly accessible, put it behind a CDN like Cloudflare to absorb bandwidth and prevent abuse.

License

MIT License. See LICENSE for details.

🥰 Acknowledgments

For projects that was stolen and used heavily:

For friends who helped with testing and feedback:

相似文章

@CycleDecoded: 苹果引以为傲的 App Store “护城河”,居然被开源社区用一种极为硬核的方式直接给“偷家”了。 以往在 iOS 上想绕过商店装应用,要么得忍受签名证书随时过期的痛苦,要么得指望极为罕见的系统漏洞。但近期爆火的开源项目 AssppWe…

X AI KOLs Timeline

AssppWeb 是一个开源项目,利用 WebAssembly 在浏览器中模拟 Apple ID 认证,允许用户绕过 App Store 直接在 iOS 设备上安装正版应用,采用了零信任架构保护凭证安全。

@XAMTO_AI: iPhone 用户又多一个省心选择,不用越狱也无需签名安装,就能直接在设备上跑 iOS 应用,这个叫 LiveContainer 的工具完全开源。 以往装个软件要折腾证书、反复签名,它把这些冗余步骤全给绕过去了。未来能不能成为主流不好预测…

X AI KOLs Timeline

LiveContainer 是一个完全开源的 iOS 应用启动器,无需越狱或签名即可直接在设备上运行应用,绕过证书和签名步骤,为 iPhone 用户提供更省心的安装方式。