Apple issues developer certificates to those who want to do internal distributions of their own applications. Those certificates can be used to self-sign an application and provision it.
Wang’s team found they could sneak a developer provisioning file onto an iOS device when it was connected via USB to a computer. A victim doesn’t see a warning.
That would allow for a self-signed malicious application to be installed. Legitimate applications could also be removed and substituted for look-alike malicious ones.