That's a good point.

The paranoid in me wonders whether a malware writer might then work on infecting an app-store developer's machine, to get the code in via such indirection; but I agree that seems like an awful lot of work when so many unsecured machines are out there for easy and anonymous direct picking.

It'll probably happen eventually, and I'm sure there are several app-store developers whose machines are already members of botnets.