There isn't any documented process of how Apple allows apps to wind up in the App Store. The only thing we know is that they're more stringent compared to Android. Still, nothing is completely safe.
A bunch of researchers managed to sneak malware onto the App Store by giving their app the power to transform. Say what?
Dubbed Jekyll, it was able to send e-mails and texts, steal information and device ID numbers and take photos, send tweets and attack other apps. The only thing is, it couldn't do it from the get go.
The malicious code, was instead, broken into innocent looking segments that would transform after download. Here's how a researcher described it:
The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed.
The research team slipped Jekyll into the App Store and downloaded it and ran the attacks on themselves before deleting it off the store. They were able to tell that Apple only scanned it for mere seconds. Perhaps scanning longer would have helped?
The team showed off their results last Friday at a the Usenix conference but all that happened in March. Apple has since tweaked its app review process, and is obvious they're not talking about this either.
There's nothing that's truly safe to download out there. In any app store. Just take some precaution. It never hurts.
[MIT Technology Review]