Flekst0re: third-party app store security evaluation

By Nir Avraham and Hu Ke

In March 2024, the European Union began enforcing the Digital Markets Act (DMA). The DMA classifies Apple as a gatekeeper platform, which means they are not allowed to block alternative app distribution or payment options on iOS within the EU. To comply and avoid massive fines (up to 10% of global revenue), Apple introduced the ability for users in the EU to download apps from alternative marketplaces (i.e., third‑party stores) on iOS 17.4 and later.

As users look for easier ways to access premium or modified apps without restrictions, third-party app stores like Flekst0re have grown in popularity. Marketed as alternatives to the official App Store, they offer unofficial tweaked apps to download. But this convenience comes with risks — since there’s no strict review process, sideloading third-party stores like Flekst0re can’t guarantee that all apps they sign and distribute are free from malicious code.

This type of risk has been evident in the laptop/macOS space for several years. Our macOS research team published an article in 2023, talking about the growing trend where altered versions of legitimate or licensed software appeared online for users to download.

The basics: What is Flekst0re?

Flekst0re is a third-party app distribution platform designed for iOS devices. Unlike Apple’s official App Store, it allows users to download and install applications that are not approved by Apple — including modified versions of popular apps, apps with features that Apple doesn't approve or entirely custom-developed tools.

Flekst0re does not require a jailbroken device, which makes it easily accessible to even the most casual users. Instead, it operates by installing a certificate profile on the user’s iPhone or iPad. Once the profile is installed and a subscription is paid, users can browse and install apps directly from Flekst0re’s website without needing a computer or sideloading tools.

Behind the scenes, these apps are re-signed on Flekst0re’s servers using enterprise distribution certificates. This allows them to bypass Apple’s security mechanisms and appear as legitimate apps, even though they haven’t gone through Apple’s review or notarization process. As a result, the platform effectively circumvents key layers of Apple’s app security model — raising serious concerns about app origin, data safety and system integrity.

The technical risks of Flekst0re

Flekst0re includes several built-in sources that users can browse to download apps. In addition, it allows users to add custom URLs, which also allows the user to download apps that are outside of the Flekst0re. These URLs point to external servers that host EXTRA .ipa files. While this feature adds flexibility, it also raises significant security risks. Since Flekst0re does not verify or audit apps downloaded from a custom source, users must take full responsibility for evaluating the safety of any third-party sources they add.

To demonstrate how serious this issue can be, we created a proof of concept: we downloaded a modified version of WhatsApp from a custom source and had it signed through the Flekst0re service. Once installed, this version behaves almost identically to the official WhatsApp, but secretly records conversations and transmits them to a remote server. This example underscores the danger of obtaining apps from untrusted sources. The proof of concept WhatsApp app was removed from Flekst0re and destroyed by Jamf after this testing was completed.

We contacted FlekSt0re to notify them of the issue, and their response is below.

"Before publishing apps for all users, we test the apps ourselves to make sure they work. In addition, all applications are safe; they do not transmit data and other information, as it is technically difficult to do so. In any case, our main service is a certificate for signing applications and a convenient service for that. We have added repositories such as Nabz Clan, AppTesters and Quantum — we're in contact with the creators so we can make sure apps are just as safe.

But we can't be sure about those repositories and ipa files that users add on their own."

How to stay safe when exploring third-party app stores

1. Avoid logging in with important accounts

Never log in to your Apple ID, WhatsApp, banking app or social media accounts on a modified app from a third-party store. Treat these apps as untrusted.

2. Don’t install unknown repositories (repos)

Only use repos/sources you trust (if any). If you can’t verify where an .ipa file is coming from or who made it, assume it’s compromised.

3. Regularly update your OS

Keep your device firmware up to date to mitigate vulnerabilities or kernel-level threats.

4. Don’t assume “no jailbreak” means safe

Even though Flekst0re works without jailbreaking a device, that doesn’t make it safe. Jailbreak is a serious risk, but not the only one — running unknown code, signed by unknown people could be just as or perhaps even more dangerous.

Final thoughts

Flekst0re and similar third-party app stores promise convenience, and “premium” features, but that convenience comes at a hidden cost. By bypassing Apple’s security checks, these platforms open the door to risks such as spyware, data leaks and potentially even unauthorized control of your device.

As shown in our demo, we were able to download a modified version of WhatsApp from a custom source and had it signed through Flekst0re. This modified version of WhatsApp silently captured private conversations.

If you’re serious about your digital privacy and device security, avoid third-party app stores entirely, especially sensitive apps like messaging, banking or email. The Apple App Store may have strict requirements/criteria for developers to have their apps hosted in the store, but they exist for a reason: to help keep users safer in a mobile environment where malicious actors are constantly looking for weak spots.

If you must use these platforms (for testing or research), do so with caution: Try not to use them with critical accounts, don’t trust random repos, and treat every app as if it could be leaking data — because it might be.