> It's hard enough to vet a github repository, but at least it can be done.
It will, more often than not, fall victim to the bystander syndrome. Someone else will do it, right? Right?
Well, in fact, nobody will do it. Here's why: a KeePass client is already a niche piece of software; people who are aware of it and would like to use it on their iOS devices form a small subset of all KeePass users; of those, people who have actual chops to perform a review of source code, are an even smaller subset; of those, people having enough spare time and brain cycles to be bothered is a number very close to zero, or can be counted on a drunk carpenter's fingers. Those people will maybe carve time to look once they suspect something fishy is happening.
You're stating this in absolute terms but the reality is not black and white. If it was possible to review the code that actually gets deployed, then it would depend on a project's popularity how many people would be willing to take a look at the source code. I might do it myself if I relied on it for something like a password manager.
The intransparency introduced by the app store makes it impossible for anyone to look at the code. Any publisher of malware can be 100% certain that no one will look at their code. It's sort of the inverse of the chilling effect.
And when a suspicion arises there's no way of finding out the truth about what actually happened and you have no way of knowing what to protect against.
It will, more often than not, fall victim to the bystander syndrome. Someone else will do it, right? Right?
Well, in fact, nobody will do it. Here's why: a KeePass client is already a niche piece of software; people who are aware of it and would like to use it on their iOS devices form a small subset of all KeePass users; of those, people who have actual chops to perform a review of source code, are an even smaller subset; of those, people having enough spare time and brain cycles to be bothered is a number very close to zero, or can be counted on a drunk carpenter's fingers. Those people will maybe carve time to look once they suspect something fishy is happening.