Skip to main content

This illicit iPhone app store has been hiding in plain sight

This illicit iPhone app store has been hiding in plain sight


I kept waiting for it to ask for my credit card number

Share this story

Photo by Amelia Holowaty Krales / The Verge

Apple has long touted its iOS ecosystem for both the security and the tightly controlled approach the company has taken with its App Store, overseeing the approval of more than 2 million pieces of software to date for its mobile marketplace. But I’ve known for years that there are ways around that process, either by jailbreaking or by misusing what are known as enterprise certificates, which are designed for large companies to distribute apps internally, that let you directly install software on an iPhone.

Still, I was as shocked as anyone to find what amounted to a bizarro world App Store of sorts sitting in plain sight, downloadable with a few taps on my iPhone XS. The marketplace, called TutuApp, is just one of many illicit iOS app stores that can be easily sideloaded onto your Apple device, so long as you’re willing to hand the keys to your security and privacy to an unknown, likely China-based entity designed around peddling popular Nintendo knock-offs and pirated versions of apps and various types of spyware, malware, and other maliciously disguised software.

TutuApp, a Hong Kong-based app store you can sideload using an Apple enterprise certificate, is filled with pirated games and illegal content.
TutuApp, a Hong Kong-based app store you can sideload using an Apple enterprise certificate, is filled with pirated games and illegal content.

Reuters reported last week on how companies like TutuApp, TweakBox, and the now-defunct App Valley were distributing pirated games and ad-free copies of Spotify to people’s iPhones by abusing Apple’s enterprise certificate program the same way that Facebook and Google did with their data-siphoning VPN apps. (Those were quite the scandal, first uncovered by TechCrunch.) But like any other intrepid writer willing to be a guinea pig in the name of reporting, I felt I had to check TutuApp out myself, and what I found was more astonishing than the Reuters story let on.

It’s as simple to download an entire new illicit app store for your iPhone as following this link in the Hong Kong-based company’s Twitter profile — which has more than 170,000 followers — and tapping a button on a mobile webpage. From there, you’re asked to give TutuApp permission to install an enterprise certificate. That should hopefully be a red flag: Apple’s enterprise certificates were designed for large companies to beta test apps and distribute internet software to employees. In this case, it’s used to sidestep the App Store to distribute apps that would never be allowed on the platform if Apple were to review them beforehand.

There are entire illicit app store clones filled with illicit apps

TutuApp’s storefront is alarmingly polished, not unlike the actual App Store, and it contains a star-rating system and even user reviews, although the latter tends to be filled with spam. In my time perusing its selection, I found a popular ad-free version of Spotify, a free pirated version of Microsoft’s $6.99 version of Minecraft for iOS, and scores of knock-off mobile games based on Pokémon, The Simpsons, and other popular franchises. There’s a pirated version of Niantic’s Pokémon Go that allows you to spoof your location so you can access parts of the world you aren’t physically located in, and cheating software for popular games like battle royale shooter PUBG Mobile.

One copyright-infringing Nintendo knock-off, called Pokémon New World, was a bizarre hodgepodge of elements ripped from the classic handheld game series, seemingly based mostly on the 2004 GameBoy Advance remake Pokémon FireRed, with layers upon layers of inscrutable screen overlays.

Playing it felt like stepping into some alternate universe where the beloved RPG had been subjected to the worst-possible game design mechanisms you can think of. It’s nearly impossible to play without being bombarded with various pop-up notifications and quest completion screens that continuously awarded me a half-dozen different items and currencies to be used for things that were never made clear. While it played like a Pokémon game, including a relatively intact battle system and the familiar general sprite design and map layout, it seemed eerily designed to trick you into doing something you weren’t supposed to do. I kept waiting for it to ask for my credit card number.

Even worse, each new piece of software like Pokémon New World you download through TutuApp installs a separate enterprise certificate on your iPhone. Those certificates have the potential to grant the developer of the app more direct control over the data on your phone, although it’s not clear in the case of TutuApp which permissions you’re granting. These app stores often make money through cheap mobile ads, although TutuApp, TweakBox, and another similar marketplace called Panda Helper all offer “VIP subscriptions” that offer ad-free access, exclusive games, and other software you can’t easily obtain through its free version.

I kept waiting for it to ask me for my credit card number

Of course, your average iPhone owner is not going to go looking for software like TutuApp, and you can imagine most people would be a bit wary of a developer asking to sidestep the App Store and install something directly on your device. But it’s not farfetched to imagine curious teenagers or those eager to find pirated software for free to go Google searching for this seedy iOS underbelly, and it’s truly not that difficult to find. In that sense, it’s a true mystery why TutuApp has gone largely unnoticed for so long.

Apple did not respond to a request for comment for this story. But in a statement Apple issued to Reuters last week, the company said it planned to be more proactive.

“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely,” a company spokesperson said. “We are continuously evaluating the cases of misuse and are prepared to take immediate action.”

Additionally, Apple plans to require developers to verify their identities using two-factor authentication, which might keep some shady entities from reselling their enterprise certificates to software pirates — or worse.