On the XARA Mac and iOS exploits

“As a Mac developer, I know that getting through the rigorous review process is sometimes an even bigger hurdle than actually writing an app. I’d like to think that this stringent and detail-focused process at least ends up providing security and quality.

The ‘malware’ that passed through the review wasn’t detectable by static analyzers, and the trojan didn’t do anything a ‘normal’ app wouldn’t do. It used existing systems, such as url handler registration and bundle id spoofing, in ways that exposed serious weaknesses.”