A web-based tool for acquiring and installing iOS apps outside the App Store. Authenticate with your Apple ID, search for apps, acquire licenses, and install IPAs directly to your device.
AssppWeb uses a zero-trust design where the server never sees your Apple credentials. All Apple API communication happens directly in your browser via WebAssembly (libcurl.js with Mbed TLS 1.3). The server only acts as a blind TCP relay (Wisp protocol) and handles IPA compilation from public CDN downloads.
⚠️ Important Security Notice: There are no official Asspp Web instances. Use any public instance at your own risk. While the backend cannot read your encrypted traffic, a malicious host could serve a modified frontend to capture your credentials before encryption. Therefore, do not blindly trust public instances. We strongly recommend self-hosting your own instance or using one provided by a trusted partner. Always verify the SSL certificate and ensure you are connecting to a secure, authentic endpoint.
恳请所有转发项目的博主对自己的受众进行网络安全技术科普。要有哪个不拎清的大头儿子搞出事情来都够我们喝一壶的。
This uses Cloudflare Workers + Containers with the published image ghcr.io/lakr233/assppweb:latest.
Requirements:
- Cloudflare Workers Paid plan (Containers are not available on Free).
- Deploy/build token with:
Workers Scripts EditContainers EditCloudchamber Edit
If your build log fails at Deploy a container application with Unauthorized, your build token is missing required Containers/Cloudchamber permissions.
Click to show Railway deployment instructions
- Go to railway.com/new/image → enter
ghcr.io/lakr233/assppweb:latest - In service Settings, set Healthcheck Path to
/api/settingsand deploy - Right-click the service → Attach volume → mount path:
/data - In Variables, set
DATA_DIR=/dataand deploy - In Settings → Networking, generate a public domain or add a custom domain
Notes
- The free trial works but has limitations (volume expiry, network restrictions). Hobby plan ($5/month) or above is recommended for reliable use.
- Enable Serverless in service settings to scale down to zero during idle periods
- Railway auto-updates
:latestimages from GHCR — new releases will be deployed automatically within a few hours
⚠️ Custom domain with Cloudflare: Railway's Cloudflare integration creates DNS records with Proxy enabled (orange cloud) by default. After authorizing, go to Cloudflare DNS settings and switch the CNAME record to DNS only (gray cloud) — Railway handles TLS automatically. If you keep Cloudflare Proxy on, you must set SSL/TLS mode to Full (not Flexible or Full Strict), otherwise you'll get an infinite redirect loop. See Railway docs.
Click to show manual Docker Compose setup instructions
Setup Docker Compose
curl -O https://raw.githubusercontent.com/Lakr233/AssppWeb/main/compose.yml
docker compose up -dEnvironment Variables
| Variable | Default | Description |
|---|---|---|
PORT |
8080 |
Server listen port |
DATA_DIR |
./data |
Directory for storing compiled IPAs |
PUBLIC_BASE_URL |
(auto-detect) | Public URL for generating install manifests (e.g. https://asspp.example.com) |
UNSAFE_DANGEROUSLY_DISABLE_HTTPS_REDIRECT |
false |
Disable HTTPS redirect (see warning below) |
AUTO_CLEANUP_DAYS |
0 |
Automatically delete cached IPA files older than specified days (0 to disable) |
AUTO_CLEANUP_MAX_MB |
0 |
Automatically delete oldest cached IPA files when size exceeds this MB limit (0 to disable) |
MAX_DOWNLOAD_MB |
0 |
Reject downloads exceeding this size in MB to prevent out-of-memory errors (0 to disable) |
Reverse Proxy (Required for Install Apps on iOS)
iOS requires HTTPS for itms-services:// install links. You must put AssppWeb behind a reverse proxy with a valid TLS certificate.
⚠️ Redirect loop (ERR_TOO_MANY_REDIRECTS)? Some reverse proxies (e.g. NAS built-in proxies) always sendX-Forwarded-Proto: httpeven when the client connected via HTTPS, causing an infinite redirect loop. If you cannot configure your proxy to send the correct header, setUNSAFE_DANGEROUSLY_DISABLE_HTTPS_REDIRECT=trueas a last resort. This disables the HTTP→HTTPS redirect — you must ensure your proxy enforces HTTPS externally.
The following is an example Caddyfile configuration:
asspp.example.com { reverse_proxy 127.0.0.1:8080 }
AssppWeb relies on the Wisp protocol over WebSocket (/wisp/) for its zero-trust architecture. Ensure your reverse proxy or CDN (e.g., Nginx, Cloudflare) is configured to allow WebSocket connections, otherwise the app will fail to communicate with Apple servers.
DDoS Protection
IPA files can be hundreds of megabytes. If your instance is publicly accessible, put it behind a CDN like Cloudflare to absorb bandwidth and prevent abuse.
MIT License. See LICENSE for details.
For projects that was stolen and used heavily:
For friends who helped with testing and feedback: