Analyzing the "Pookie Tools" app
Posted on March 17, 2025
So, uhh, the first actual blog post on here, hi! After seeing a YouTube video about that app, I decided to do a little investigation myself, since I do not believe that the person behind one of the cringiest memes in existence can actually make a good app. Or any app, for that matter.
“Well, let’s begin”, I said, as I opened Aurora Store on my phone and typed “Pookie Tools” into the search bar. And of course, I got no results, because the app is iOS-only. Who even makes iOS-only apps? That’s a total misplay!
Checking the App Store page revealed that the app was made by Vego Pictures L.L.C..
A quick DuckDuckGo search showed that their vegopictures.com website had expired and was originally hosted on Squarespace.
A tech company with a broken website hosted on a website builder? Seems like a red flag to me.
The only other app developed by them is Ultimate AI, which looks like yet another UI for the OpenAI API. To be perfectly honest, even this app seems like a UI for the OpenAI API (foreshadowing????).
Anyway, since I don’t have an Apple device, I had to visit some of the sketchiest websites known to mankind to obtain the .ipa file, which is just a glorified normal .zip archive.
But in the end, I managed to get it.
First, a disclaimer. This is my first time working with iOS apps (I usually deal with Android), so someone way more professional, like Bryce Bostwick, could probably do what I did in two minutes, with their eyes closed, and in a much less barbaric way.
Alright, we’re in. Let’s start with something simple to test the waters.
[/tmp/garbage] $ strings Payload/Runner.app/Frameworks/App.framework/App | rg -i openaihttps://api.openai.com/v1https://api.openai.com/v1/GOTTEM. I was right, the app is a mere wrapper for OpenAI API. As you’re reading this, I’m probably using the API key stolen from them to make AI play Inscryption. That’s the price they should pay for not bothering to build a proper backend (and for being affiliated with one of the cringiest memes in existence).
They’re actually very lucky that the app is iOS-only and no one gives a fuck about it. Otherwise, the API key would’ve been stolen the day they released it.
Next, I wanted to extract the prompts. Searching for a few obvious keywords revealed a single prompt, but it was the only one I could find. Most likely, the rest of the prompts are loaded from a remote server, and judging by how easy it was to find OpenAI references, I assume the other URLs are also not obfuscated.
Here’s the list of everything that matched the https?:// regex (with irrelevant entries removed):
https://sites.google.com/view/pookie-ai/privacy-policyhttps://development.make-ai-apps.com/api/v2/categorieshttps://sites.google.com/view/pookie-ai/contact-ushttps://development.make-ai-apps.com/api/v2/sub-categorieshttps://api-test.make-ai-apps.com/api/counterhttps://sites.google.com/view/pookie-ai/terms-and-conditionshttps://development.make-ai-apps.comhttps://development.make-ai-apps.com/api/v2/assistant-app?app=Pookie&sort=rank:ascFirst of all, they were too lazy to go to Squarespace this time and instead made their website on Google Sites. Yikes.
Second, we see the development.make-ai-apps.com domain with some interesting API endpoints.
Visiting the root domain just returns an empty 200 response, while visiting the root of the development subdomain reveals it’s powered by Strapi.
From what I can tell, there’s no proper way to enumerate endpoints in Strapi, and the only interesting thing good ol’ dirb could find was a password-protected /admin. So, the endpoints found in the app are the only ones we have.
/api/v2/categories returns a basic JSON list containing name, id, rank, and creation/update/publish dates for categories such as Writing, Content, and Dating.
These categories are exactly the same as in the Ultimate AI app.
Presumably, the API is shared between the two apps./api/v2/sub-categories returns a list of AIs such as Book Suggestor or Apology Writer, along with their prompts.
Each AI has an App property, and while most are set to null, some are actually "Ultimate AI" or "Pookie".
Yeah, the API is shared between the two apps./api/v2/assistant-app?app=Pookie is our target since it returns info in the same format as the previous endpoint but filtered to only include AIs from the "Pookie" app.
Notably, a few AIs from the previous endpoint are still here, like Roast Me! and the infamous Height Detector (which, according to the prompts, mostly just guesses randomly).If, for some reason, you want to see the terrible prompt engineering behind this app, feel free to go to the last URL yourself and grab all the data you want before the company goes bankrupt.
Time to release a free, libre, open-source Android port of this app! /j
At the beginning of the post I actually thought app was free to use with additional features in premium subscription, but no. App simply doesn’t work unless you pay for weekly ($5/$7) or annual ($40/$50) subscription. What a ripoff!
But seriously, why would anyone pay for it? Simply going to https://chatgpt.com and typing a prompt does exactly what this app does, except it’s not iOS-only, actually free, and you can actually change the prompt if you want. Or, if you have some spare money, pay $5+ for an actual OpenAI API and get couple millions of tokens (that will probably be enough for couple of months).
But actually, why would anyone do this at all, regardless of the “client” used? Isn’t the whole purpose of “dating” to find someone you love? YOU, not some soulless program spitting out random-ish responses. Do people who use AI for dating really expect something decent from it, if they don’t even have enough respect to give human responses to their potential partner?
Or maybe I just don’t understand something. I’m ace, after all. XD
Thanks for reading and see ya next time in (hopefully more professional) OpenAI API key stealing reverse engineering posts!
If I suddenly disappear after writing this post, you know which limited liability company to blame.