This study presents the first systematic empirical investigation of Iran’s underground ecosystem of third-party iOS app stores, which have emerged in response to U.S. sanctions and internet censorship that block access to Apple’s official App Store. By collecting over 1,700 application packages from the three largest Iranian alternative stores, the research employs static binary analysis, metadata mining, and cross-store comparison to characterize the operational mechanisms and isolation patterns of this illicit distribution network. Findings reveal a prevalence of Iran-exclusive applications, widespread piracy, unauthorized monetization strategies, and embedded tracking libraries. The study quantifies financial losses incurred by legitimate developers and demonstrates significant security and privacy risks stemming from app tampering and unvetted distribution practices.

Due to U.S. sanctions and strict internet censorship, Iranian iOS users are barred from accessing the Apple App Store and developer services. In response, despite violating Apple's developer terms, a thriving underground ecosystem of third-party iOS app stores has emerged to serve Iranian users. This paper presents the first comprehensive empirical study of these clandestine app stores. We document how these stores operate, including their distribution mechanisms, user authentication processes, and evasion techniques. By collecting and analyzing more than 1700 iOS application packages and their metadata from three major Iranian third-party app stores, we characterize the ecosystem's size, structure, and content. Our analysis reveals a significant presence of Iranian-exclusive apps, widespread distribution of cracked apps, unauthorized monetization of paid content, and embedded third-party tracking and piracy libraries. We also uncover a notable overlap among financial, navigational, and social apps that exist solely in this ecosystem, reflecting the unique digital constraints of Iranian users. Finally, we quantify the potential revenue losses for developers due to piracy and document security and privacy risks associated with altered binaries. Our findings highlight how sanctions, censorship, and enforcement gaps have enabled a parallel app distribution ecosystem with complex socio-technical implications.