Please consider that as long as the vulnerable jar exists on the local filesystem, it should be considered vulnerable. Preventing the App Store from becoming a distribution mechanism is good, but not good enough.