I checked an access log of web server. The itunesstored application asked TWICE. (HEAD and GET)
10.0.2.2 - - [06/Feb/2014:14:50:48 +0900] "HEAD /test/app/app.ipa HTTP/1.1" 401 - "-" "itunesstored/1.0 iOS/7.0.4 model/iPhone4,1 (6; dt:73)"
10.0.2.2 - test [06/Feb/2014:14:51:03 +0900] "HEAD /test/app/app.ipa HTTP/1.1" 200 - "-" "itunesstored/1.0 iOS/7.0.4 model/iPhone4,1 (6; dt:73)"
10.0.2.2 - - [06/Feb/2014:14:51:04 +0900] "GET /test/app/app.ipa HTTP/1.1" 401 539 "-" "itunesstored/1.0 iOS/7.0.4 model/iPhone4,1 (6; dt:73)"
10.0.2.2 - test [06/Feb/2014:14:51:09 +0900] "GET /test/app/app.ipa HTTP/1.1" 200 4066787 "-" "itunesstored/1.0 iOS/7.0.4 model/iPhone4,1 (6; dt:73)"
So, I changed a setting of web server to ignore basic auth when it requets HEAD.
BEFORE:
<Directory "/Library/WebServer/Documents/test/app/">
AuthType Basic
AuthName "BASIC AUTH"
AuthUserFile "/etc/apache2/htpasswd"
Require valid-user
</Directory>
AFTER:
SetEnvIf Request_Method HEAD headreq
<Directory "/Library/WebServer/Documents/test/app/">
Order Allow,Deny
Allow from env=headreq
AuthType Basic
AuthName "BASIC AUTH"
AuthUserFile "/etc/apache2/htpasswd"
Require valid-user
Satisfy Any
</Directory>
After that, The itunesstored application asked only ONCE. (only GET).