Re: Are "Apps" the real culprit?
Well given that Apple said their investigation determined it was from the security questions, presumably they had logs indicating that at least some of the celebs in question had their passwords reset via the security question. Said celeb probably couldn't login, and used the security questions again themselves to reset their password, but only after the "hacker" had swiped their photos.
Apparently some of the naked celeb pics came from Google Drive and Dropbox as well, even if the bulk were from iCloud. Because the same type of attack can work anywhere that uses 'security questions', which aren't very secure at all if you're a public figure and answer them honestly.
If an iPhone app wants access to the pictures, it will have to ask the user for confirmation, and it will only have access to the photos stored on the device. It seems some number of the photos in question had been deleted from the phone long ago. Either they were still on iCloud, or they were swiped some time ago.