Note that playlist audio is XOR encrypted

[hacker1024]

I don't have time to write this up properly now, but I will later. Making this issue to record my findings in the meantime, as this isn't documented.

Pandora playlist audio is encrypted with a base64 encoded string, assigned to the key key in the response JSON. Audio can be decrypted for testing using this tool.

For reference, Pandora's implementation in their web app can be found in the Javascript code for the Sirius XM music player, at webpack:///src/domains/playback/audio/libs/AudioPlayback/harnesses/SXMHarness/SXMAudioPlayer.js in the browser debugger.

Specifically, this code snippet revealed the secrets:

startLoading: function (url, key) {
    this._url = url;
    this._load = new ProgressiveDownload(url);

    //TODO : IF we have key initiate the XORCipher to decrypt the buffer data usign the key
    if(key)
    {
        this.key = key;
        this._cipher = new XORCipher(Cipher.ALGORITHM.XOR_MASK, ["decrypt"]);
        this._cipher.importKey(key);
    }
},

[PromyLOPh]

This is true for the REST API, right?

[hacker1024]

Yup. Another thing I've found is that it uses an uncommon m4a codec that's causing trouble on pretty much any platform my app runs on (Android, iOS, and macOS), though VLC can handle it just fine.