Avoid using Mail.app plugin for accessing required APIs #240
Description
Disclaimer: I didn't know about openhaystack project and came here with a strange trajectory, so sorry for my ignorance if I'm talking nonsense. Yet, the problem is the same -- use Apple item locations network to track non-Apple certified devices, so here is the idea.
In the README you say
The OpenHaystack application requires a custom plugin for Apple Mail. It is used to download location reports from Apple's servers via a private API (technical explanation: the plugin inherits Apple Mail's entitlements required to use this API). Therefore, the installation procedure is slightly different and requires you to temporarily disable Gatekeeper.
However, as I mentioned I came here from this repository: https://github.com/MatthewKuKanich/FindMyFlipper/tree/main/AirTagGeneration
It does pretty much the same as your project, it's just not that polished. So what I did:
- Generate a key pair
- Used app on my Flipper Zero to broadcast BLE beacons using this key, when I went for a walk
- Registered a blank Apple ID (N.B. this wasn't an account used on any of my Apply devices at this moment, so I guess you just need any account)
- Used scripts in the aforementioned repo to get locations history for the past few hours and it worked flawlessly
I've spent a couple of hours reading the code, and from what I've got, in 4. it does the following:
- Uses this project https://github.com/Dadoum/anisette-v3-server to generate some random, but specific device IDs
- Uses Apple ID credentials to auth in icloud
- Then uses
https://gateway.icloud.com/acsnservice/fetchwith auth info to finally get coordinates
I hope I didn't miss something, while reading the sources and didn't leak any sensitive info, when I was experimenting with it :) But it looks like it just works and doesn't require any complicated Mail.app patching.
What do you think about adopting the same approach openhaystack? It'd simplify installation and potentially allow it's usage on non-macOS devices (not sure).