They didn't have a two factor authentication process around accessing their source code.
I have written applications on just about every smartphone plaform, and I have never met an API did that did not have the ability to query the phone number of the device. Assuming you have a data plan (in many cases, the only way to get the app in the first place), its a tiny amount of code to post that information to a web page the first time the application runs. Some platforms, such as the Android, do indicate when an application has access to use the Internet, but its not trivial to find out exactly what information is going back and forth.
This issue has always been there, and is no more of a problem on an iPhone than other similar platforms.