Cracks in the Walled Garden: Dissecting the Gray-Market of Unauthorized iOS App Distribution via Ad Hoc Sideloading

Apple enforces strict code signing and mandates app distribution through its official App Store. Nonetheless, unauthorized apps still spread through sideloading channels. The Ad Hoc provisioning mechanism, originally designed for developer testing, has emerged as one such channel. It leverages individual developer certificates and user-side signing to enable unauthorized app installations that bypass Apple's app review process. Over time, this practice has evolved into a structured and prevalent gray-market that connects certificate resale, third-party signing tools, and the distribution of unsigned .ipa files. In this work, we present the first systematic study of this market, with a specific focus on its integrated service operations in China. Through a user-centric data collection strategy, we identified 3,359 active signing sites for certificate redemption, reverse engineered 12 signing tools, and obtained 8,216 distributed .ipa entries. Our analyses uncover a multi-layered certificate circulation model with resale margins up to 3,000% and reveal common tricks that signing tools employ for code signing. Most distributed apps are modified versions of legitimate ones, which leverage dynamic library injection to enable customized features. Such modifications undermine the security protections that both apps and the system provide to users, exposing them to risks such as unauthorized actions, sensitive data exfiltration, and system capability exploitation. Overall, our findings reveal a mature gray-market that erodes iOS's trust model while operating in plain sight, underscoring the need for targeted interventions from multiple stakeholders.