Cracks in the Walled Garden: Dissecting the Gray-Market of Unauthorized iOS App Distribution via Ad Hoc Sideloading

This public repository accompanies the study “Cracks in the Walled Garden: Dissecting the Gray-Market of Unauthorized iOS App Distribution via Ad Hoc Sideloading” and adheres to the principles of open science, fostering reproducibility and collaboration in research. Contents Sample datasets: A subset of representative data, including sampled signing site URLs, signing tools, IPA metadata entries, and dynamic libraries. Analysis scripts: Important scripts used in the study, enabling replication of key analyses and adaptation to other datasets. Includes scripts for: Extracting UDID acquisition links from signing sites and identifying backend sites. (sites/code/get_udidurls&backendsites.py) Analyzing files downloaded via UDID acquisition links. (sites/code/parsed_udid_mobileconfig.py, sites/code/parsed_additional_mobileprovision.py) Identifying signing tool names distributed through signing sites. (tools/code/extract_toolnames.py) Verifying app sources via the App Store API. (ipas/code/verfify_appstore_baseapp.py) Extracting .dylib files from IPA packages. (ipas/code/extract_dylibs.py) Comparing similarity between .dylib files with the same name. (ipas/code/compare_dylibs.py) Runtime Environment The codebase has no special platform or hardware requirements. To ensure reproducibility, we provide a requirements.txt file containing all Python dependencies used in our analysis. Please install them with: pip install -r requirements.txt Full Dataset Access This repository provides only a small sample to help readers understand the paper. The complete datasets (3,359 signing site URLs, 12 signing tools, metadata of 8,216 IPA entries), along with other derived data, are hosted at https://zenodo.org/records/17846379 (a restricted-access repository). The data are available upon request for academic research purposes only. Access restrictions are in place to prevent potential misuse that could facilitate the gray-market we focused. If you wish to obtain the dataset, please visit https://zenodo.org/records/17846379 and click the "Request access" button. We only approve requests from academic or research institutions, so please use an institutional email address and provide a brief description of your research purpose when submitting your request. Note that the data provided must be handled responsibly and is strictly for research purposes. It should not be used for personal use or any activities beyond academic research.