Compliance Rules
66 rules covering App Store Guidelines and Google Play policies. Continuously calibrated against 15,000+ production apps.
Sign in with Apple Required
Apps that use third-party login services (Google, Facebook, Twitter, etc.) must also offer Sign in with Apple as an equivalent option.
Minimum Functionality (Web Wrapper)
Apps that are primarily a website wrapped in a native container without significant native functionality will be rejected.
Spam / Template Detection
Apps created from a common template or appearing to be clones of existing apps may be rejected under the Spam guideline.
Hidden Features or Functionality
Apps must not include hidden or dormant features that are not documented or declared. Using runtime string-to-selector calls is often flagged.
SIWA Error Handling Missing
Sign in with Apple implementation should handle authorization errors gracefully to prevent crashes and poor user experience.
SIWA Presentation Anchor Missing
Sign in with Apple requires a presentation anchor for proper display on iPad. Missing this causes iPad-specific failures.
SIWA Credential State Check Recommended
Apps should check Apple ID credential state on launch to detect if the user has revoked access or signed out of their Apple ID.
SIWA Token Revocation on Account Deletion
When users delete their account, apps must revoke the Apple Sign In token to fully disassociate the Apple ID.
Account Deletion Required
Apps that allow account creation must also provide account deletion functionality accessible within the app.
Privacy Policy Required
All apps must have a privacy policy link accessible in the app and in App Store Connect metadata.
Camera Permission String Required
Apps that access the camera must include NSCameraUsageDescription in Info.plist with a clear explanation.
Photo Library Permission String Required
Apps that access the photo library must include NSPhotoLibraryUsageDescription in Info.plist.
Location Permission String Required
Apps that access location must include NSLocationWhenInUseUsageDescription in Info.plist.
Privacy Manifest Recommended
Apps should include a PrivacyInfo.xcprivacy file declaring data collection practices and required reason APIs.
User-Generated Content Reporting Required
Apps with user-generated content must provide a mechanism for users to report offensive content.
User Blocking Required
Apps with user-generated content or social networking features must allow users to block abusive users.
UGC Filtering Controls Required
Apps with user-generated content or social networking features must include a method for filtering objectionable material before it is posted.
Published User-Support Contact Required
Apps with user-generated content or social networking services must publish contact information so users can easily reach the developer or moderation team.
Random or Anonymous Chat Safety Risk
Random or anonymous chat features are explicitly scrutinized under Guideline 1.2. Apps with these flows should include strong moderation, reporting, blocking, and age/safety controls.
Restore Purchases Required
Apps with in-app purchases must include a "Restore Purchases" button.
No External Payment Links
Apps cannot include buttons or external links that direct users to purchasing mechanisms other than in-app purchase (except for specific entitled categories).
Encryption Declaration
Apps must accurately declare whether they use encryption in ITSAppUsesNonExemptEncryption.
Placeholder Content Detected
Apps with placeholder text (e.g. Lorem Ipsum) will be rejected for "Design".
Obfuscation Tools Detected
Using obfuscation tools may delay review or trigger fraud checks.
Dynamic Code Loading Detected
Apps are not allowed to download or run executable code (dlopen, dlsym).
AI Data Sharing Disclosure
Apps using third-party AI services must clearly inform users if personal data is shared and obtain explicit consent before processing.
Required Reason API Usage
Apps using certain system APIs must declare approved reasons in the Privacy Manifest (PrivacyInfo.xcprivacy).
Potential Third-Party Brand Usage
Apps cannot use another developer's icon, brand, or product name in their app name or icon without explicit approval.
Loan App Detected
Loan apps have strict requirements: max 36% APR (including all fees), no full repayment required in 60 days or less, and must be from licensed lenders.
Age-Gated Content Detection
Creator apps and platforms with user content that may exceed the app's age rating must implement age verification mechanisms.
Account Required Before IAP Browsing
Users must be able to browse in-app purchases without creating an account first. Requiring login before showing subscription options or IAP content violates App Store guidelines.
AI App May Require 17+ Rating
Apps using generative AI that accept unrestricted user prompts must be rated 17+. If users can input prompts that could generate harmful, violent, or adult content, the app requires a 17+ age rating or content filtering.
Premium Features May Need Clear Labels
Premium or paid features should be clearly labeled in your UI. App Store screenshots and descriptions must indicate which features require additional payment.
iPad Multitasking Disabled
Your app opts out of iPad multitasking (Split View / Slide Over) by setting UIRequiresFullScreen to true. This is only acceptable for apps that genuinely require full screen (camera, AR, games with specific aspect ratios).
iPad Support May Be Missing
Your app may only target iPhone and not properly support iPad. Apps should support both device families unless there is a specific reason to be iPhone-only.
iPad Orientation Support Limited
iPad apps should support all four orientations (portrait, portrait upside down, landscape left, landscape right) unless there is a specific design reason not to.
Hardcoded Frame Sizes Detected
Your code contains hardcoded frame/size values which may cause UI issues on different screen sizes, especially iPad. Use Auto Layout, size classes, or responsive sizing instead.
iPad Launch Screen May Be Missing
Apps supporting iPad must have a launch storyboard that works on all iPad sizes. Missing or improperly configured launch screens cause your app to run letterboxed.
Firebase App Check May Be Required
Your app uses Firebase backend services (Firestore, Realtime Database, Storage, or Functions) but Firebase App Check initialization was not detected. App Check protects your backend resources from abuse.
Google Play Billing Required
Apps offering digital goods must use Google Play Billing Library. External payment links for digital content violate Google Play policies.
Target SDK Version Too Low
Google Play requires apps to target a recent Android API level. Apps targeting API level below 33 (Android 13) may be rejected.
Sensitive Permission Detected
Your app uses sensitive permissions that require justification in Google Play Console. Background location, SMS, call log, and similar permissions need declaration forms.
Runtime Permission Rationale Recommended
Apps should explain why permissions are needed before requesting them. This improves user trust and acceptance rates.
Data Collection Detected - Declaration Required
Your app uses analytics/advertising/tracking SDKs with active data collection. Ensure this is accurately declared in the Google Play Data Safety section.
Potential Hidden Functionality
Dynamic code loading detected. Google Play prohibits apps that download executable code from sources other than Google Play.
APK Build Configuration Detected
APK distribution pipeline detected. Google Play requires Android App Bundle (AAB) format for new apps. If you are shipping to Google Play, ensure your release pipeline produces an .aab.
Ad SDK in Child-Directed App
Apps targeting children must only use Google Play certified ad SDKs. Standard ad networks are not permitted.
Account Deletion Required
Google Play requires apps with account creation to offer in-app account deletion and a web-based deletion option.
Subscription Transparency Missing
Apps must clearly disclose subscription terms, including price, billing frequency, and how to cancel.
QUERY_ALL_PACKAGES Restricted
Google Play restricts use of QUERY_ALL_PACKAGES to apps whose core functionality requires visibility into all installed apps.
MANAGE_EXTERNAL_STORAGE Restricted
Broad storage access (MANAGE_EXTERNAL_STORAGE) is restricted to apps that require it for their core functionality.
Cleartext Traffic Permitted
Allowing unencrypted HTTP traffic increases the risk of man-in-the-middle attacks.
Missing android:exported Declaration
Components with intent-filters must explicitly declare android:exported (required for Android 12+ / API 31+). Activities, services, receivers, providers, and activity-aliases that declare intent-filters without an explicit exported attribute will cause install failures on Android 12 and higher.
Insecure File Permissions
Creating world-readable or world-writable files is a severe security risk.
Missing Accessibility Labels
UI elements should have contentDescription attributes for screen readers.
Potential Deceptive Ad Pattern
Detected patterns that could be used for deceptive ads (notifications with ad content, full-screen interstitials on app open). Ensure ads are clearly distinguishable from app content.
Background Location Restricted
Accessing location in the background requires a strong justification and must be core to the app experience.
Suspicious Execution Patterns
Detected use of Runtime.exec or ProcessBuilder which can be used to execute arbitrary shell commands.
Untrusted Intent Processing
Processing intents from untrusted sources without validation can lead to security vulnerabilities. This is especially critical in exported components.
Hardcoded API Key Detected
Sensitive API keys detected in source code or manifest.
Insecure WebView Configuration
WebView with setJavaScriptEnabled(true) or setAllowFileAccess(true) increases attack surface.
Minimum Functionality (Android)
Apps must provide a basic functional experience and utility to users.
Foreground Service Type Declaration
Apps using foreground services must declare the appropriate foreground service type and provide valid use case documentation.
16KB Page Size Compatibility
Apps targeting Android 15+ with native libraries (.so files) must support 16KB page sizes for compatibility.
Repetitive Content Detection
Apps that duplicate content from other apps or contain minimal original functionality may be flagged as spam.
Firebase App Check May Be Required
Your app uses Firebase backend services (Firestore, Realtime Database, Storage, or Functions) but Firebase App Check initialization was not detected. App Check protects your backend resources from abuse and may be required by Google Play.