rols

jonyo said:

All it took was 3 things:
1. Access to the source code to be altered and recompiled
2. Access to the distribution server to upload the infected version
3. A valid dev cert to use in the recompile, whether the actual dev's cert, or some other one

Beyond that, I'm not knowledgeable enough about this stuff to say how Apple can change things in the future to avoid this sort of thing from happening.

No they didn't have access to the source code nor was it altered nor recompiled. All they did was take the installer package, unpack it, pack it up again adding a couple of extra binaries which were the hack and ensure they were installed along with the real, unmodified app. 

The other two things they did have, they accessed the distribution server and replaced one package with another, and they had a valid dev certificate, not to recompile anything, but just to re-sign the installer they'd added new payload to. 

2. is the lapse from the developer. Anyone can get the installer package and modify it, anyone with a dev cert can re-sign the modified installer, but the important bit is putting it on the dev's website to replace a legitimate version.