A terminal UI and CLI for searching, purchasing, and downloading iOS App Store IPA files. Like ipatool, but rebuilt in Rust and adapted to Apple's current auth flow.
The original Go ipatool and many forks broke after Apple changed authentication endpoints.
ipatool-rs keeps the same practical goal: log in with an Apple ID, search the App Store, obtain free licenses, and download IPA files.
This rewrite adds a keyboard-driven terminal UI, structured Rust models, clearer errors, streaming downloads, and retry/reauth flows for unstable App Store responses.
| Feature | ipatool (Go) | ipatool-rs (this project) |
|---|---|---|
| Apple ID authentication | ❌ Broken since 2024 auth changes | ✅ Works with current endpoints |
| Two-factor authentication | ❌ Broken | ✅ Supported |
| Interactive TUI | ❌ CLI only | ✅ Full keyboard-driven TUI |
| Download progress | ❌ None | ✅ Progress bar + streaming |
| HTTP Range resume | ❌ No | ✅ Yes (CLI mode) |
| Background download queue | ❌ No | ✅ TUI downloads tab |
| Session auto-refresh | ❌ No | ✅ Re-auths on expired token |
| Credential storage | File-based | ✅ OS keychain (macOS/Linux/Windows) |
| Output formats | text | text + JSON |
| Single binary | ✅ | ✅ |
| Windows support | ✅ | ✅ |
- Interactive TUI mode: run
ipatoolto open tabs for Search, Library, Downloads, and Account. - Search-to-download workflow: browse App Store results, inspect app details, purchase free licenses, and queue downloads from one screen.
- Download dashboard: track progress, failures, cancellation, and completed items in the Downloads tab.
- Account management: log in, handle 2FA, view the active account, and revoke stored credentials.
- Resilient sessions: refresh expired tokens during purchase and download flows when stored credentials are available.
- Robust downloads: stream IPA files with progress display and HTTP Range resume support in CLI mode.
- Patch-ready IPAs: inject purchase metadata and SINF authorization data into the downloaded archive.
- Text or JSON output for scripts and automation.
brew install Kosthi/tap/ipatoolcargo install ipatool-rsDownload the latest files from the GitHub Releases page.
The release also includes cargo-dist installer scripts that install the ipatool binary into your Cargo bin directory.
# macOS / Linux
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/Kosthi/ipatool-rs/releases/latest/download/ipatool-installer.sh | sh
# Windows PowerShell
powershell -ExecutionPolicy Bypass -c "irm https://github.com/Kosthi/ipatool-rs/releases/latest/download/ipatool-installer.ps1 | iex"| Platform | Asset | Install |
|---|---|---|
| Windows x64 | ipatool-x86_64-pc-windows-msvc.zip |
Extract and place ipatool.exe on your PATH. |
| macOS Apple Silicon | ipatool-aarch64-apple-darwin.tar.xz |
Extract and place ipatool on your PATH. |
| macOS Intel | ipatool-x86_64-apple-darwin.tar.xz |
Extract and place ipatool on your PATH. |
| Linux x64 | ipatool-x86_64-unknown-linux-gnu.tar.xz |
Extract and place ipatool on your PATH. |
| Linux ARM64 | ipatool-aarch64-unknown-linux-gnu.tar.xz |
Extract and place ipatool on your PATH. |
Each release also includes per-asset .sha256 files and a unified sha256.sum.
git clone https://github.com/Kosthi/ipatool-rs.git
cd ipatool-rs
cargo build --release
# Binary at target/release/ipatoolLaunch the TUI by running ipatool without a subcommand.
ipatoolThe UI is built with ratatui and crossterm. It provides a fast keyboard workflow for login, search, purchase, download progress, and cancellation.
Log in with your Apple ID. Two-factor authentication is supported.
# Interactive login (prompts for a 2FA code if Apple requires one)
ipatool auth login --email your@apple.id --password 'password'
# With 2FA code
ipatool auth login --email your@apple.id --password 'password' --auth-code 123456
# Show current account
ipatool auth info
# Log out and clear credentials
ipatool auth revokeSearch for apps on the App Store.
ipatool search "WeChat" --limit 10
ipatool search "Telegram" --limit 5 --country USObtain a free license for an app.
ipatool purchase -b com.tencent.xinDownload an IPA file. Use --purchase to automatically obtain the license before downloading.
By default, the IPA is saved in the current working directory as {bundle_id}_{app_id}_{version}.ipa.
Use -o to choose a different output path.
# Download with auto-purchase
ipatool download -b com.tencent.xin --purchase
# Specify output path
ipatool download -b com.tencent.xin --purchase -o ~/Downloads/wechat.ipa
# Download by app ID
ipatool download -i 414478124 --purchase
# Download a specific version
ipatool download -b com.tencent.xin --version-id 12345List available versions and retrieve version metadata.
# List all versions
ipatool version list -b com.tencent.xin
# Get metadata for a specific version
ipatool version meta -b com.tencent.xin --version-id 12345--format <text|json> Output format (default: text)
--verbose Enable debug logging
--non-interactive Disable interactive prompts
Global
| Key | Action |
|---|---|
q / Ctrl+C |
Quit |
Tab / Shift+Tab |
Switch tabs |
1-4 |
Jump to a tab |
j/k or Up/Down |
Navigate the current list |
Esc |
Cancel input or close a popup |
Search tab
| Key | Action |
|---|---|
/ / s |
Focus the search input |
Enter |
Run search |
d |
Download selected app |
p |
Purchase selected app |
Downloads tab
| Key | Action |
|---|---|
x |
Cancel selected download |
c |
Clear finished downloads |
Account tab
| Key | Action |
|---|---|
l |
Log in |
r |
Revoke stored credentials |
ipatool-rs/
|-- Cargo.toml # Workspace root
|-- media/ # README logo and demo assets
`-- crates/
|-- ipatool-core/ # Core library
| `-- src/
| |-- api/ # Apple API endpoints
| |-- client/ # HTTP client, plist parser, cookie jar
| |-- model/ # Account, App, Platform, StoreFront types
| |-- ipa/ # IPA patching
| |-- error.rs # Error hierarchy
| |-- credential.rs # Keychain storage
| `-- guid.rs # Device GUID generation
`-- ipatool-cli/ # CLI binary
`-- src/
|-- main.rs # Entry point and clap parsing
|-- output.rs # Text/JSON formatters
|-- tui/ # Interactive terminal UI
`-- commands/ # Subcommand handlers
-
Auth - Posts credentials to Apple's native auth endpoint using the legacy MZFinance protocol. Handles 2FA, redirects, retry logic, keychain storage, and cookies.
-
Search/Lookup - Queries the public iTunes Search API for app metadata and storefront-specific results.
-
Purchase - Sends a buy request to
buy.itunes.apple.comwith STDQ pricing and falls back to GAME for Apple Arcade-style responses. -
Download - Fetches the download URL and DRM data from Apple's
volumeStoreDownloadProductendpoint, then streams the IPA. -
Patch - Rebuilds the ZIP, injecting
iTunesMetadata.plistand SINF files so the IPA can be installed on an authorized device. -
TUI - Wraps the same core APIs in an async ratatui/crossterm interface with background tasks for search, login, purchase, and downloads.
Is my Apple ID password stored on disk?
No. After a successful login, ipatool-rs stores only a password_token (a session token issued by Apple) plus non-sensitive account metadata. The token is saved in the OS keychain — macOS Keychain, libsecret on Linux, or Windows Credential Manager — not in a plain-text file. Your actual password is never persisted.
Why does ipatool-rs store the password at all for re-authentication?
Some Apple Store operations (e.g. re-purchasing after a session expiry) require a full re-login, not just a token refresh. If you logged in interactively, ipatool-rs will prompt you again rather than storing the plain-text password. The password field in the keychain entry is only populated when you explicitly provide it via --password on the CLI, so re-auth can happen unattended in scripts.
Does this violate Apple's Terms of Service?
Downloading apps you have legitimately purchased or obtained a free license for is the same as using the App Store. This tool does not bypass DRM or enable piracy — downloaded IPAs still contain your account's DRM data and will only install on devices authorized under your Apple ID. Review Apple's terms for your specific use case.
The original ipatool stopped working — is this a drop-in replacement?
The CLI commands are intentionally similar, but not identical. The main differences are: auth login instead of ipatool auth, the addition of --purchase on download, and the new TUI mode. See the Usage section above for the full reference.
I'm getting a 2FA prompt every time I run a command.
This usually means the stored token has expired and Apple is requiring a fresh login. Run ipatool auth login again. If you're running in a script, use --non-interactive and ensure your session is fresh before the run.
Which countries/storefronts are supported?
All storefronts supported by the iTunes Search API. Use --country <ISO-3166-1-alpha-2> (e.g. --country US, --country CN) to target a specific store.