Developers of third-party iPhone Apps may have a way to circumvent Apple’s iTunes App Store approval process for their updated Apps by executing arbitrary code from within their own applications whenever they choose to do so.
The newly discovered exploit reveals itself via a technique discovered by developer Patrick Collison and is documented on his blog. Essentially, Collison, discovered a workaround that allows for the display of dynamic default.png images. These images load whenever apps are launched on the iPhone. An Xcode Project demoing the exploit can be downloaded and a video demoing the exploit can be found on the blog.
Some developers believe that this feature would be of utility to programmers, others deem it a flaw because it can be used as an exploit to update and execute arbitrary code regardless of content whenever the developer chooses to do so.
How Apple decides to handle this issue remains to be seen. Since this flaw could be used by the developer to circumvent the App Store’s approval process, the company may choose to close eliminate the dynamic-image functionality and hence close the hole.
Currently there is no evidence that any third party App has taken advantage of this exploit to run any malicious code.