I’m : a programmer, writer, podcaster, geek, and coffee enthusiast.

Avoid security risks with iTunes Connect scraping services

AppFigures and App Annie are very useful to iOS and Mac app developers: they automatically fetch, store, and graph sales reports from Apple so we don’t need to keep logging into iTunes Connect. And both can send you an email every morning with the previous day’s sales data, which is both incredibly useful (“Wow, that Talk Show sponsorship caused a lot of sales!”) and incredibly stressful (“Why were yesterday’s sales lower than usual?”). You can also get a lot of this functionality in a native app, minus the daily emails, with AppViz on your Mac.1

But since iTunes Connect doesn’t have an API, all of these reporting tools need you to give them your developer Apple ID and its password, and they need to store it forever in their databases. This has two major downsides:

  1. It’s a very large security risk. Your developer Apple ID can change anything about your apps or remove them from sale, or reroute the sales money to another account. If it’s your personal Apple ID, it can also make purchases, and can even log into iCloud and fetch all of your contacts and calendars. And more.
  2. Occasionally, as I found out this morning, a bug or badly behaved coincidence in one of these apps or services can cause your Apple ID to be locked out and force you to change its password, which is inconvenient.

Fortunately, you can avoid both risks, for the most part, by creating an additional user in iTunes Connect that only has access to sales reports.

Select the “Sales” role for the new user, generate a nice random password, and give that user’s credentials to these services.

That way, the worst that can happen to you if one of these services is compromised is that your sales data might become public, which might be awkward, but wouldn’t be as potentially destructive.

  1. I’m sorry if I didn’t mention your favorite app or service for this. I know there are more than the ones I’ve mentioned. ↩︎