Apple neglects to secure streaming album previews

Periodically, albums become available for live streaming on iTunes prior to their official release date. The hope is that not only do consumers get a chance to hear the album before buying it, but also that by offering a free and legal way to listen to the album before it’s available, there will be less motivation for eager fans to pirate leaked albums. With unreleased albums from Daft Punk and The National currently streaming on iTunes, 9to5Mac has discovered that the streams are being left completely unprotected, offering an easy way for pirates to get high-quality cuts of the albums before they’re officially released.

With traffic sniffing tools (such as Charles Proxy or HTTP Scoop) anybody can monitor their traffic while streaming the album which will show the URL of the M4P media file being streamed. Using this URL, users can easily save the album to their computer for future listening. While it’s true somebody could also just record the stream from their computer as they listen to it, it would lose some of the quality. Downloading the stream directly offers a crisp 256kbps AAC recording. It’s also true that rather than ending up with individual tracks that a listener can easily navigate through, you’re stuck with a single file that contains the whole album. You could split the album up into separate tracks yourself (though first you'd have to get around the DRM), but at that point it would be less effort for most people to just go pirate the album elsewhere. In fact, an illegal download of Daft Punk’s Random Access Memory currently available on a popular torrent site appears to have come from the iTunes M4P stream.

Admittedly, even if the streams were protected, piracy would still be happening. There are some people who just don’t want to pay for music. However, Apple’s handing these albums to pirates on a silver platter by offering up an unprotected, high-quality streams like this ahead of their release dates. Ironically, Apple has documentation available for developers that covers how to encrypt HTTP audio and video streams to protect from this sort of thing.

Source: 9to5Mac

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Nick Arnott

Security editor, breaker of things, and caffeine savant. QA at POSSIBLE Mobile. Writes on about QA & security, and as @noir on Twitter about nothing in particular.

More Posts



← Previously

iOS 6 reports for U.S. defense duty with new approval

Next up →

Who has the most satisfying customer experience in the UK? That'll be Apple Retail

Reader comments

Apple neglects to secure streaming album previews


Re: "Using this URL, users can easily save the album to their computer for future listening."

Trivial for true geeks.
Incomprehensible to the vast music-consuming public.
(Whether or not they call themselves geeks.)

1) Trivial for many hs and college age kids who make up a significant chunk of purchases, and who are most likely to seed torrents,where it becomes trivial for a much larger number.

2) You have a low bar for security if you find these non-measures adequate simply because a completely non-technical user would not stumble upon a URL