iOS: Security researchers warn of third-party app store "Flekst0re"

In the EU—and soon in other regions—Apple is obliged to allow alternative app marketplaces. The usual way is complex and currently requires six steps before a user can get, for example, the Epic Games Store on their device. However, there are also other ways, which the security research department of the mobile device management provider Jamf has now investigated: services that use various tricks to open up new app sources. This can lead to—which Apple also always warns intensively about—the creation of serious security vulnerabilities.

Certificate profile bypasses security mechanisms

The so-called Flekst0re, which advertises with the slogan “Jailbreak without Jailbreak,” does not use Apple's regular ways for alternative app marketplaces but operates with the help of a manually installable certificate profile. This makes things even more insecure, especially since Apple does not perform any rudimentary security checks for apps distributed in this way.

According to Jamf, the Flekst0re servers then also use enterprise distribution certificates to get the apps onto the devices—that's also a hack. This bypasses all of Apple's security features, even though the applications on the devices themselves look like “normal” apps. The offerings in Flekst0re also appear dubious: “Special versions” of well-known apps like YouTube, Instagram, WhatsApp, or TikTok are distributed here—with original icons—as well as well-known games, including “Cuphead,” which is not officially available for iOS at all.

Sneaky WhatsApp variant introduced

According to Jamf, apps that reach the device via the distribution channel can ultimately do anything. This was demonstrated with a specially manipulated WhatsApp variant that can record and forward chats. The proof of concept was distributed via Flekst0re but then deleted. Jamf advises not to enter any important account data into such apps and to pay attention to the sources (repositories, repos). One should also not assume that the unnecessary jailbreak keeps the device secure. “Running unknown code signed by unknown parties could be just as or even more dangerous.”

FlekSt0re itself stated to Jamf that they test all apps beforehand “to ensure they work.” All apps are also “secure” and transmit “no data or other information,” as that is “technically difficult.” FlekSt0re sees itself only as a “convenient service for signing applications.” However, the creators admit to having integrated at least three other repositories that they do not control themselves. “We are in contact with the creators to ensure that the apps are just as secure.” However, they are not responsible for the applications distributed there, as they are also open to other users.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.

Preisvergleiche immer laden Preisvergleich jetzt laden

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

(bsc)