"As a proof of concept, the three researchers created a malicious version of an iOS Facebook app that also includes a Trojan that runs in the background, capable of taking screenshots, simulating button touches, and sending data to a remote server."
That was done by exploiting developer mode, and was fixed by asking the user before any data transmission is enabled. The only thing that is allowed "blindly", and hence the most dangerous, is charging. No need for any racketeeri-- sorry, Apple-controlled whitelist.
How is it fixed when a significant percentage of the customer base will end up clicking yes, some due to ignorance, some by pure error? This isn't how security works.
Specifically, note "Mactans"
https://www.forbes.com/sites/andygreenberg/2013/07/31/resear...
"As a proof of concept, the three researchers created a malicious version of an iOS Facebook app that also includes a Trojan that runs in the background, capable of taking screenshots, simulating button touches, and sending data to a remote server."