You can easily track internet activity with any sort of packet sniffing tool. Here's a link to one way to do it:
http://blog.jerodsanto.net/2009/06/sniff-your-iphones-network-traffic/[
^]
If all you have is the iOS application itself, you won't be able to run it on the iPhone "simulator" that comes with Xcode -- that only runs code that has been compiled for the simulator (x86 code), it doesn't run the acutal .ipa files that contain the ARM code.
If you are strictly worried about malware, on a non-jailbroken phone, the app will only run in the application sandbox -- there isn't much an application can do from within the sandbox that would be malicious. So tracking the internet activity should be enough.
You can also scan the app for api calls using either the techniques discussed here:
http://stackoverflow.com/questions/7031356/finding-private-api-call-terminatewithstatus[
^]
Or using this utility:
http://www.chimpstudios.com/appscanner/[
^]
NOTE: Static analysis of reverse engineered code might actually be a better method of determining malicious intent than any amount of simulation. Depending on what triggers the malicious code, you might never actually run the malicious payload when you run under a simulator.