It is hard, as on iOS they run every app in a sandbox with only managed APIs to do things with other apps and the system. This is a very nice foundation, especially combining it with the forced use of the store and long support.

So, as an attacker, you can only try to sneak in an app, which tricks you to give it the data or you need to get your hands on an unknown security issue in the API implementation, which would be much better to sale in the black market, then actually using it on your own as governments pay a lot for them