> The point being made by the cited article is that a tiny interpreter that activates days or weeks after an app goes live can't be detected by any app store review process. You have no idea how many such droppers are active in the iOS App Store because only Apple can look for them, and nobody knows if they do or to what extent they do.

The point being that Apple doesn't allow information downloaded from random places to be executed as code in third party apps at all. This is literally the reason for the Webkit only policy.

Google does allow it, and they (very predictably) have no way to know if that code will be malicious or not.

Which is why Ars had to warn Android users that they had to be wary of apps downloaded from the Play Store.

I think we're talking at cross-purposes here. The issue is not what Apple allows, it's what they can detect and block. They can't detect arbitrary interpreters and therefore you have no idea if this is happening on the app store. You just have to take Apple's word for it that it's not. We're talking about malware, by definition it doesn't care what the rules are. Android is more open and so third parties can go investigate and find malware that uses interpreters to execute remote code, but Apple simply doesn't allow such explorations so we don't know what's out there.