Javascript security
They haven't added any DRM to the MP4 so the only thing it can be is javascript "security".
Looking at the code http://www.bbc.co.uk/iplayer/page/script/1.7/iplayer_info.js
This seems to do the security (A new version was uploaded this morning according to the modified headers)
I've not tested anything but I'm pretty sure they are using javascript to identify the browser which then will either set a cookie to say its not really iphone or just uses javascript to do the redirect.
http requests are pretty simple things and send very limited information. If its securing on something sent over a http get request it will only take someone with an iphone and a bit of knowledge to look at what is being sent and replicating it.
if its pure javascript a bit of grease monkey will no doubt get around it.
By the evenings out it will be bust wide open agian?