[djao]

That makes it slightly harder. Still, Apple will sign anything that is successfully submitted to the App Store for approval, right? So you just need to slip a single trojan past their approval process. Normally, the transport layer provides an important second level of defense: a victim would have to consciously choose to install YOUR program in order to get hacked. That doesn't work anymore when the security of the transport layer is compromised. Now anything that you install from the App Store could be surreptitiously compromised. Better hope that Apple's signature revocation infrastructure is sound.

[mikeash]

All new App Store apps require sandboxing now, so as long as Apple's sandbox is tight (not a given, but it's supposed to be) then you can't do anything harmful. Apple won't sign anything you give the that isn't sandboxed.

The updater for Apple's own stuff obviously doesn't have this constraint, but it should involve a different signing key than the one used for third-party apps.