Can Apple retroactively identify apps that might have exploited these vulnerabilities to exfiltrate personal data? In my understanding they receive the full source code of an app for review, so they probably have an archive with all revisions that they could go through using automated tools to identify exploit code? Would be good to know if these exploits have been used in the wild, being able to exfiltrate the entire address book without any user involvement whatsoever is quite scary.
There is no way they could prove that an app HASN'T exploited this. They don't get source code, only compiled binaries, and with objective-c's extremely dynamic nature, any app could technically receive a HTTP response containing strings containing class and method names to dynamically look up and invoke, maybe even based on the app's IP address or only on specific dates. So calls to these exploitable APIs could have happened and there would be no way to prove otherwise.
Furthermore, no one stops you from developing an app and planting RCE vulnerability inside the binary. Then you can exploit it remotely when necessary and execute the code that exploits any iOS vulnerabilities known to you.
True but it is complicated by the fact that code signing is generally enforced for executable segments. (JIT compilation entitlements are generally not available to apps beyond Apple's own MobileSafari builds)
