So far as I can tell, this uses the standard method for sideloading apps via a provisioning profile, but speaks the iOS's USB device protocol directly instead of relying on the MobileDevice libraries from Apple.
Oh, that's it? That's not really news, then. How are they hiding it from the user though? I would expect that would require modifying and restoring the SpringBoard plist to the device, but surely the user will notice if their phone goes into a restore session.
