Automated app download and installation from AppStore is essential in mobile research but currently there is no tool that handles it on the Apple's platform. The last working crawler - DiOS stopped working on iOS 12, when Apple removed Automator framework that was used to confirm installation prompts(Installation button on the screen below). In this article, I will show you how to replace the Automator and automate your downloads.

DiOS under the hood

The download process starts at the StoreServices framework, which is already loaded inside SpringBoard process, so the easiest approach is to hook in there and invoke all StoreServices functions you need. There are 2 classes that performs the whole download process - SSPurchase and SSPurchaseRequest.

• SSPurchase describes parameters needed to identify the app such as bundle-id, and a PersonID, which is a uniqie identifier for each AppleID account. It can be found with SSAccount.uniqueIdentifier.

  SSPurchase *purchase = [[SSPurchase alloc] init];
  [purchase setAccountIdentifier:
  account.uniqueIdentifier];
  [purchase setBuyParameters: appParams]; // Properties describing the app form AppStore
  

  Objective-C
• Once the SSPurchase is fully initialised, it is passed over to SSPurchaseRequest, which starts the download process.

  SSPurchaseRequest *purchaseReq = [[SSPurchaseRequest alloc]
  initWithPurchases: @[purchase]]
  [purchaseReq start];
  

  Objective-C
  You don’t need to be inside AppStore app to make this start the download. Just run it at any convenient moment. [purchaseReq start] is an asynchornous function. It returns a boolean whether the app will be installed or not, but doesn’t let us know when the app finishes the installation. You can subscribe to SBInstalledApplicationsDidChangeNotification of [NSNotificationCenter defaultCenter]to check on the status of the installation.

A fix for the installation pop-up

iOS 12 introduced a new additional confirmation pop-up for each installation of a new app. DiOS can’t get through it .

After some reverse engineering of the popup, I found, that it doesn’t originate from the SpringBoard but rather the Wallet app! Therefore, we need to hook with Frida or a Cydia Tweak to the wallet app and confirm the installation there.

I decided to go with a Cydia Tweak this time and dismiss the pop-up by invoking _payWithPasscodePressed on the authorization pop-up when it appears. The tweak implementation is shown below.

// Tweak.x
#import <PassKitUI/PKPaymentAuthorizationFooterView.h>
%hook PKPaymentAuthorizationFooterView
- (void)didMoveToSuperview {
  %orig;
  [self _payWithPasscodePressed];
  NSLog(@"bypass _payWithPasscodePressed");
}
%end;

To filter out the programs affected by the tweak, I created a filter plist file for Cydia.

// TweakConfig.plist
{ Filter = { Bundles = ( "com.apple.PassbookUIService" )
}; }