https://www.nothingbutsharepoint.com/sites/devwiki/articles/pages/configure-an-environment-for-apps-for-sharepoint-2013.aspx
SharePoint 2013 Apps have their own, isolated URLs, which are separate from the URLs of the sites where the app is being deployed to and where the app is being used. In order to provide isolation apps should run in their own domain, instead of in the same domain name as your farm. Using a different domain name for apps helps prevent cross-site scripting between apps and SharePoint sites.
Microsoft recommends that the new domain name should NOT be a subdomain of the domain that hosts the SharePoint Sites. For example, if the SharePoint sites are at matrinescu.com, consider mcatrinescuApps.com instead of app.mcatrinescu.com as the domain name.
http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&cad=rja&uact=8&ved=0CFcQtwIwBw&url=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DP1eEBQ0vG3o&ei=_teWU-OeDo-JuASBlYII&usg=AFQjCNErUUIrVTd-hnF-7H0wXINYzW3SBA&bvm=bv.68445247,d.c2E
- Proposed as answer by Nico Martens Tuesday, June 10, 2014 10:42 AM
- Marked as answer by Victoria XiaMicrosoft contingent staff, Moderator Friday, June 20, 2014 9:51 AM
This is a security based design decision due to cross-site scripting attacks. SharePoint 2013 Apps have their own, isolated URLs, which are separate from the URLs of the sites where the app is being deployed to and where the app is being used. In order to provide isolation, apps should run in their own domain, instead of in the same domain name as your farm. Using a different domain name for apps helps prevent cross-site scripting between apps and SharePoint sites.
MS SharePoint AppStore contains many 3rd party apps. If user is running an app which contains malicious code, its possible from code to run queries on other sub-domains and create an issue. Now there are ways to put restrictions in place where you can allow/disallow app installations. Also if your all developers are internal and you are not using 3rd party apps, its not necessary to have a separate domain. Its up to you whether you want to go with separate domain or subdomain.
Hope this helps.