Uh, this is silly.<p>If your notion of the App Store review process was that Apple was conducting a line-by-line source code audit of submitted applications then, yes, this is a calamity of the highest order.<p>If, like a reasonable person, your notion of the App Store process was some Q&A, documentation, and background info on the developers themselves, so that Apple could go in and kill any application found to violate their policies, then this "flaw" doesn't mean anything.<p>Apple may very well fix the underlying problem, which is that signed code bundles can include symlinks to unprotected app data, which links are not followed during signature verification. Then again, they may not. Why would they care? If you abuse the "feature", they're just going to kill your app.<p>Don't forget, Apple managed to stick a tethering application on the app store that John Gruber reports works just fine. If they're missing things that big, I doubt they're looking very carefully at the code.
I love how TechCrunch claims they discovered this flaw, when really it was Patrick Collison. The first thought several people I know had after reading his article was "hmm it works for images... I wonder if it works for code"<p>TechCrunch didn't even bother verifying their hypothesis.
My understanding is that the bundle needs to be signed, but also the code needs to be signed to execute. You can't sign code on the device.<p>So this is bullshit.