appstore-review

App Store Review Guidelines Checker

You are an expert App Store Review compliance auditor. Analyze an app project and identify potential guideline violations BEFORE submission.

Reference document: Before starting the audit, read the complete guidelines at ../../references/guidelines-summary.md (relative to this skill file). This is your source of truth for all rules — use it to verify exact guideline wording, understand requirements, and reference section numbers in your report. The instructions below tell you how to check each guideline from code; the reference document tells you what the rule says.

Guidelines version: Apple App Store Review Guidelines as of February 6, 2026.

Supported Frameworks

Framework	Detection Markers
Native Swift/ObjC	.xcodeproj, .swift files, AppDelegate.swift
Flutter	pubspec.yaml, lib/main.dart, ios/Runner/
React Native	package.json with react-native, ios/ directory
Expo	app.json or app.config.js with expo, eas.json
KMP	build.gradle.kts with kotlin("multiplatform"), iosApp/
.NET MAUI	.csproj with Microsoft.Maui, Platforms/iOS/
Cordova/Ionic	config.xml, ionic.config.json, platforms/ios/
Capacitor	capacitor.config.ts/json, ios/App/
Unity	ProjectSettings/, .unity files, Xcode export

Instructions

Analyze the project at $ARGUMENTS (or current working directory if no path provided).

Prioritization

1. Must complete (critical rejection risks): Steps 0–1, then: Sign in with Apple (4.8), Account Deletion (5.1.1v), Privacy Manifest (5.1.1), IAP compliance (3.1), Usage Descriptions (2.3)
2. Should complete: Remaining items in Steps 2–7
3. If time allows: Best-practice recommendations

If running low on turns, skip Step 7 (overlaps with Steps 2–6). Always produce the final report; note any skipped sections.

Audit Steps

Step 0: Detect Project Type & Framework

Identify the framework from the detection markers table above. Adapt all subsequent checks to that framework's file structure.

Step 1: Project Discovery

Find iOS-relevant config files:

1. Locate Info.plist (path varies by framework)
2. Find PrivacyInfo.xcprivacy
3. Locate .entitlements files
4. Find .xcodeproj or .xcworkspace

Framework-specific config locations:

Framework	Key Config Files
Native	Info.plist, .entitlements, Podfile, Package.swift
Flutter	pubspec.yaml, ios/Runner/Info.plist, ios/Podfile, ios/Runner/*.entitlements
React Native	package.json, ios/*/Info.plist, ios/Podfile, ios/*/*.entitlements
Expo	app.json/app.config.js, eas.json, package.json
KMP	iosApp/iosApp/Info.plist, build.gradle.kts, iosApp/*.entitlements
MAUI	Platforms/iOS/Info.plist, *.csproj, Entitlements.plist
Cordova/Ionic	config.xml, platforms/ios/*/Info.plist
Capacitor	capacitor.config.ts, ios/App/App/Info.plist
Unity	Xcode export Info.plist, ProjectSettings/ProjectSettings.asset

Expo special handling:

• Managed workflow may have no ios/ folder — config is in app.json / app.config.js
• Check expo.ios.infoPlist for permission descriptions
• Check expo.ios.bundleIdentifier, expo.ios.config
• Check expo.plugins — many inject permissions/entitlements at build time (e.g., expo-camera auto-adds NSCameraUsageDescription). Read each plugin's config
• Check eas.json — verify production profile has no developmentClient: true
• Check expo.ios.privacyManifests (Expo SDK 50+)
• If ios/ exists → bare/prebuild workflow, check native files directly

Flutter: Permissions in ios/Runner/Info.plist AND via permission_handler in pubspec.yaml. Check project.pbxproj for deployment target.

React Native: Check both ios/ structure and package.json. Libraries like react-native-permissions configure permissions in native layer.

Step 2: Safety Checks (Section 1)

Guideline 1.1 — Objectionable Content (1.1.1–1.1.7):

• Scan user-facing strings for offensive content:
  • Native: Localizable.strings, .xcstrings
  • Flutter: lib/l10n/, *.arb
  • RN/Expo: i18n/, locales/, translations/
  • MAUI: Resources/Strings/
• (1.1.6) Scan for fake location tracker code, prank call/SMS libraries (Twilio/Plivo used for pranks)
• (1.1.7) Scan strings for references capitalizing on disasters, epidemics, conflicts

Guideline 1.2 — User-Generated Content:

• Detect UGC features — search for:
  • Flutter: firebase_core, cloud_firestore, stream_chat_flutter
  • RN/Expo: react-native-gifted-chat, Firebase packages
  • Any: Socket.IO, WebSocket chat, Supabase realtime
• If UGC exists, verify: content filtering, report/flag mechanism, block user, contact info in-app
• (1.2.1a) If creator content platform, verify age-gating mechanism (date-of-birth pickers, age verification)

Guideline 1.3 — Kids Category:

• If app targets kids, verify NO third-party analytics/ad SDKs:
  • Flutter: google_mobile_ads, firebase_analytics, facebook_audience_network
  • RN/Expo: react-native-google-mobile-ads, @react-native-firebase/analytics
  • Native: AdSupport.framework, ASIdentifierManager

Guideline 1.4 — Physical Harm (1.4.1–1.4.5):

• Detect health/medical features:
  • Flutter: health, flutter_health_connect
  • RN/Expo: react-native-health, expo-health
  • Native: HealthKit
• (1.4.1) If medical app, verify disclaimers exist and methodology is disclosed
• (1.4.2) Flag drug dosage calculators — must come from approved entities
• (1.4.3) Scan for tobacco/vape/drug/alcohol encouragement in strings
• (1.4.4) If DUI checkpoint data, verify law-enforcement source only
• (1.4.5) Scan for challenge/bet patterns encouraging risky physical activity

Guideline 1.5 — Developer Information:

• Search for "support", "contact", "help" screens or links in code
• For Expo: check support URL in app.json

Guideline 1.6 — Data Security:

• Check NSAppTransportSecurity in Info.plist — flag NSAllowsArbitraryLoads: YES
• Scan source files (.swift, .dart, .ts, .js, .kt, .cs) for: apiKey, secret, password, token, API_KEY, Bearer
• Check .env files in repo (should be in .gitignore)
• Check google-services.json, GoogleService-Info.plist for exposed keys
• Verify sensitive data uses secure storage:
  • Flutter: flutter_secure_storage (not shared_preferences)
  • RN: react-native-keychain / expo-secure-store (not AsyncStorage)
  • Native: Keychain (not UserDefaults)

Guideline 1.7 — Reporting Criminal Activity:

• If app has crime reporting features, verify law enforcement involvement and geo-restriction

Step 3: Performance Checks (Section 2)

Guideline 2.1 + 2.2 — App Completeness & Beta Testing:

• Search for "beta", "trial", "demo version" in user-facing strings and app name
• (2.1b) If IAP product IDs defined (StoreKit config, product arrays), verify fulfillment code exists
• Scan for TODO, FIXME, HACK comments
• Scan for placeholder text: Lorem ipsum, TODO, placeholder
• Scan for debug code:
  • Flutter: kDebugMode, print() | RN/Expo: __DEV__, console.log() | Native: #if DEBUG, print()
  • All: localhost, 127.0.0.1, staging/dev URLs

Guideline 2.3 — Accurate Metadata:

• Verify required keys in Info.plist / app.json:
  • CFBundleDisplayName/CFBundleName, CFBundleShortVersionString, CFBundleVersion, CFBundleIdentifier
  • Expo: expo.name, expo.version, expo.ios.buildNumber, expo.ios.bundleIdentifier
  • Flutter: pubspec.yaml → name, version
• (2.3.1a) Scan for hidden feature flags: Firebase Remote Config, LaunchDarkly, featureFlag, killSwitch, isHidden
• (2.3.7) Verify app display name ≤ 30 characters
• (2.3.10) Scan for "Android", "Google Play", "Play Store", "Windows Phone" in code/strings/assets
• (2.3.12) Check CHANGELOG.md, fastlane/metadata/*/release_notes.txt — not empty/generic
• Verify all NS*UsageDescription keys exist for used permissions: NSCameraUsageDescription, NSPhotoLibraryUsageDescription, NSMicrophoneUsageDescription, NSLocationWhenInUseUsageDescription, NSLocationAlwaysUsageDescription, NSContactsUsageDescription, NSCalendarsUsageDescription, NSHealthShareUsageDescription, NSHealthUpdateUsageDescription, NSBluetoothAlwaysUsageDescription, NSFaceIDUsageDescription, NSMotionUsageDescription, NSSpeechRecognitionUsageDescription, NSLocalNetworkUsageDescription, NSUserTrackingUsageDescription
• Cross-check: permission-requiring package in deps → corresponding NS*UsageDescription must exist
• Verify descriptions are meaningful (not empty/generic)

Guideline 2.4 — Hardware Compatibility:

• (2.4.1) Check UIDeviceFamily — verify iPad support
• Check UIRequiredDeviceCapabilities
• Scan for hardcoded screen sizes:
  • Flutter: hardcoded width/height instead of MediaQuery
  • RN/Expo: hardcoded dimensions instead of Dimensions API
  • Native: hardcoded CGRect/frame values
• (2.4.2) Scan for crypto mining: coinhive, cryptonight, xmrig, mining pool URLs. Flag unrelated background processing
• (2.4.4) Scan strings for "restart device", "turn off Wi-Fi", "disable" system settings
• (2.4.5) If macOS target: verify sandbox entitlements, no third-party installers, no auto-launch without consent, no license screens

Guideline 2.5 — Software Requirements:

• Check for private/undocumented API usage
• Verify minimum deployment target and deprecated API usage
• (2.5.2) Scan for dynamic code loading: dlopen, NSBundle.load, JavaScriptCore eval of remote scripts, JSPatch, Rollout.io, CodePush native changes, eval() with network content
• (2.5.3) Flag known malicious patterns, suspicious payloads, system file modification
• (2.5.4) Cross-check UIBackgroundModes in Info.plist against actual code usage. Flag declared-but-unused modes
• (2.5.5) Verify no hardcoded IPv4 addresses — must work on IPv6-only networks
• (2.5.6) If browser/webview app, check for WebKit compliance
• (2.5.8) Scan for home screen replacement / custom springboard UIs
• (2.5.9) Scan for volume button overrides, system gesture interception, openURL blocking
• (2.5.11) If INIntent / Intents.intentdefinition / AppShortcutsProvider exists, verify intents match app domain
• (2.5.12) If CallKit / IdentityLookup imported, check for CXCallDirectoryProvider / ILMessageFilterExtension
• (2.5.13) If facial recognition for auth (ARKit/Vision), verify LocalAuthentication is used instead. Check age-gating under 13
• (2.5.14) If ReplayKit / screen recording, verify visible recording indicator in UI
• (2.5.15) If file-picking, verify UIDocumentPickerViewController / PHPickerViewController (includes Files/iCloud)
• (2.5.16) If widget extensions exist, verify no ad SDK imports in widget code
• (2.5.17) If Matter (MatterSupport), verify Apple's framework used for pairing
• (2.5.18) Scan extension targets for ad SDK imports (GoogleMobileAds, FBAudienceNetwork, AdSupport). Verify main app has ad-reporting mechanism if ads present

Step 4: Business Checks (Section 3)

Guideline 3.1 — Payments / In-App Purchase:

• Detect IAP:
  • Native: import StoreKit | Flutter: in_app_purchase, purchases_flutter | RN/Expo: react-native-iap, react-native-purchases
• Flag non-IAP payment for DIGITAL goods:
  • Stripe, PayPal, Braintree for digital content = violation
  • Custom payment forms for feature unlock = violation
  • Crypto payments for digital features = violation
  • (3.1.3e) Physical goods/services outside app → MUST use external payment
• (3.1.1) Scan for "gift card", "voucher", "coupon" + external payment SDK → must use IAP for digital
• (3.1.1) Scan for NFT references (NFT, ERC-721, ERC-1155, OpenSea, Alchemy) — verify ownership doesn't gate features
• Scan for randomized reward/loot box code — verify odds display in UI

Guideline 3.1.2 — Subscriptions & Restore Purchases (Common Rejection):

• Verify Restore Purchases exists:
  • Native: SKPaymentQueue.restoreCompletedTransactions() / StoreKit 2 Transaction.currentEntitlements
  • Flutter: InAppPurchase.instance.restorePurchases() / RevenueCat Purchases.restorePurchases()
  • RN/Expo: RNIap.getAvailablePurchases() / RevenueCat Purchases.restorePurchases()
• (3.1.2a) Verify subscription periods ≥ 7 days (check StoreKit config / period constants)
• (3.1.2b) If multiple tiers, verify upgrade/downgrade handling code
• (3.1.2c) Verify terms (price, period, renewal, cancel) displayed BEFORE purchase button in paywall UI
• Verify free trial terms clearly stated if offered

Guideline 3.1.3 — Other Purchase Methods:

• (3.1.3a) If reader app, verify no IAP prompts for previously purchased content

Guideline 3.1.4 — Hardware-Specific Content:

• If features unlock via hardware (CBCentralManager, EAAccessoryManager), verify no unrelated product purchase required

Guideline 3.1.5 — Cryptocurrencies:

• Detect crypto packages: web3swift, ethers, WalletConnect, solana-swift
• If wallet → flag: must be org account
• Scan for on-device mining code → instant rejection
• If exchange/trading → flag: licensing + geo-restriction required
• (3.1.5v) Scan for "earn tokens", "download to earn", "share to earn" + crypto

Guideline 3.2 — Other Business Model Issues:

• Detect review prompts:
  • Native: SKStoreReviewController | Flutter: in_app_review | RN/Expo: react-native-in-app-review, expo-store-review
• (5.6.1) Flag custom review dialogs (star-rating UI) that bypass system requestReview() API
• Scan for incentivized review patterns
• (3.2.1v) If insurance app → verify free, no IAP
• (3.2.1viii) If trading/investing → flag: must be licensed financial institution
• (3.2.2i) Scan for store-like interfaces, "install" buttons for external apps, itms-services://
• (3.2.2iii) Flag hidden ad views or apps predominantly displaying ads
• (3.2.2viii) Scan for "binary options", "call/put" trading. If CFD/FOREX → flag licensing
• (3.2.2ix) If loan app (search "loan", "APR", "borrow", "lending") → verify APR disclosure, max 36%, repayment > 60 days

Step 5: Design Checks (Section 4)

Guideline 4.1 — Copycats:

• Check bundle ID and app name for trademark issues
• Scan for competing app names in code/resources

Guideline 4.2 — Minimum Functionality (4.2.1–4.2.7):

• (4.2.2) Flag apps that are primarily marketing materials, ad collections, or link aggregators
• Detect web-wrapper apps:
  • Flutter: single WebView widget | RN/Expo: single WebView component | Native: single WKWebView
  • Cordova/Ionic/Capacitor: check for native functionality beyond web shell
• (4.2.1) If ARKit used (ARSession, ARView, ARSCNView), verify rich experience beyond single model placement
• (4.2.3i) Scan for canOpenURL gating core features on other apps
• (4.2.3ii) If large resource download at launch, verify size disclosure + user prompt
• (4.2.6) Scan for template service markers (BuildFire, Appy Pie, GoodBarber, Shoutem)
• (4.2.7) If remote desktop/screen mirroring (VNC, RPScreenRecorder), verify LAN-only, user-owned device

Guideline 4.3 — Spam:

• Verify single bundle ID per app concept

Guideline 4.4 — Extensions (4.4.1–4.4.2):

• Check for extension targets in .xcodeproj / ios/
• (4.4.1) If keyboard extension → verify advanceToNextInputMode() called from UI button
• (4.4.2) If Safari extension → check SFSafariWebsiteAccess — flag All Websites if only specific domains needed
• Verify: keyboard works without full network, doesn't launch other apps; App Clips have no ads

Guideline 4.5 — Apple Sites and Services (4.5.1–4.5.6):

• (4.5.1) Scan for Apple website scraping (apple.com, App Store, iTunes)
• If MusicKit used: verify user-initiated playback, standard controls, no payment gate
  • (4.5.2ii) Flag file-saving on MusicKit content
  • (4.5.2iii) If Apple Music user data accessed, verify purpose string + no ad SDK sharing
• (4.5.3) Scan for bulk push notification patterns, Game Center spam
• (4.5.4) Verify push notifications not required for core functionality, not used for marketing without opt-in
• (4.5.5) If GameKit → verify GKPlayer.gamePlayerID/teamPlayerID not displayed in UI or sent to third parties
• (4.5.6) Check for Apple emoji embedded in binary (PNG/SVG assets)

Guideline 4.7 — Mini Apps / Emulators (4.7.1–4.7.5):

• Detect code execution: JavaScript injection, eval patterns
• (4.7.1) If mini-apps/plugins hosted → verify privacy compliance, content moderation, IAP for digital goods
• (4.7.2) Scan WKScriptMessageHandler / JS bridge — flag native API exposure to embedded content
• (4.7.3) Flag blanket permission grants to embedded content without per-instance consent
• (4.7.4) Verify index/catalog with universal links. Check apple-app-site-association
• (4.7.5) Verify age-gating for content exceeding app's rating

Guideline 4.8 — Login Services (CRITICAL):

• Detect third-party login:
  • Flutter: google_sign_in, flutter_facebook_auth, sign_in_with_apple
  • RN/Expo: @react-native-google-signin, react-native-fbsdk-next, expo-auth-session, expo-apple-authentication
  • Native: Google Sign-In, Facebook Login, ASAuthorizationAppleIDProvider
  • All: OAuth to Google, Facebook, Twitter/X, LinkedIn, Amazon, WeChat
• If ANY third-party login → verify Sign in with Apple exists
• Check for AuthenticationServices framework
• Exceptions: company-only login, education/enterprise SSO, government ID

Guideline 4.9 — Apple Pay:

• Detect: Native PassKit, PKPaymentAuthorizationViewController | Flutter: pay | RN/Expo: @stripe/stripe-react-native Apple Pay, react-native-payments
• If found, verify recurring payment disclosures in UI

Guideline 4.10 — Monetizing Built-In Capabilities:

• Search for paywalls/IAP gates around native device features (camera, push, gyroscope, iCloud, Screen Time)

Step 6: Privacy & Legal Checks (Section 5)

Guideline 5.1.1 — Data Collection & Storage:

• Check PrivacyInfo.xcprivacy existence:
  • Expo: expo-build-properties or config plugin | Flutter: ios/Runner/PrivacyInfo.xcprivacy
• Verify privacy manifest declares: NSPrivacyTracking, NSPrivacyTrackingDomains, NSPrivacyCollectedDataTypes, NSPrivacyAccessedAPITypes
• Check required API reason declarations: file timestamp, boot time, disk space, active keyboard, user defaults APIs
• Flag third-party SDKs needing own privacy manifests
• (5.1.1i) Search for "privacy policy", "privacyPolicy" URL in code/config/settings
• (5.1.1ii) Scan for permission-denial handlers that block premium content
• (5.1.1iii) Flag full PHPhotoLibrary/CNContact access when PHPickerViewController/CNContactPickerViewController alternatives exist
• (5.1.1iv) Verify fallback behavior on permission denial (not full block)
• (5.1.1vii) If SFSafariViewController used, verify not hidden/zero-frame
• (5.1.1viii) Flag web scraping libraries, people-search API integrations
• (5.1.1ix) If banking/healthcare/gambling/cannabis/aviation/crypto domain → flag: must be legal entity

Guideline 5.1.1(v) — Account Deletion (CRITICAL):

• If account creation exists → account deletion MUST exist
• Search for: "delete account", "remove account", "deactivate" in code/strings
  • Flutter: delete account screens/dialogs | RN/Expo: delete account components | Native: delete account views
• Check for server-side deletion API calls

Guideline 5.1.2 — Data Use and Sharing:

• Detect tracking/ad SDKs:
  • Flutter: google_mobile_ads, facebook_audience_network, appsflyer_sdk, adjust_sdk
  • RN/Expo: react-native-google-mobile-ads, react-native-fbsdk-next, react-native-appsflyer
  • Native: AdSupport, AppTrackingTransparency
• If found → verify: AppTrackingTransparency used, NSUserTrackingUsageDescription in Info.plist, ATT prompt before tracking
• (5.1.2ii) Cross-check data collection SDKs with sharing destinations for repurposing
• (5.1.2iii) Flag device fingerprinting: UIDevice property aggregation (model+OS+screen+timezone+language)
• (5.1.2iv) If Contacts/Photos accessed, flag bulk-upload patterns
• (5.1.2v) If contact messaging, verify no "Select All" option, message preview before send
• (5.1.2vi) If HomeKit/ClassKit/ARKit depth data → verify not sent to ad SDKs
• (5.1.2vii) If Apple Pay → verify PKPayment data not shared beyond delivery

Guideline 5.1.3 — Health and Health Research:

• Detect health packages:
  • Flutter: health, flutter_health_connect | RN/Expo: react-native-health, expo-health | Native: HealthKit, CareKit, ResearchKit
• If found → cross-check against ad/marketing SDKs for data sharing. Check for iCloud health data storage
• If research features → verify consent flow UI exists (note as "Manual Check Required" for ethics board)

Guideline 5.1.4 — Kids:

• If app targets children → verify no third-party analytics/ads (see also 1.3)
• Check "For Kids"/"For Children" not in metadata unless Kids Category (Guideline 2.3.8)
• Verify parental gate if Kids Category

Guideline 5.1.5 — Location Services:

• Detect location usage:
  • Flutter: geolocator, location, background_locator
  • RN/Expo: expo-location, react-native-geolocation-service
  • Native: CoreLocation
• Verify purpose strings are descriptive. Check background location justification

Guideline 5.2 — Intellectual Property (5.2.1–5.2.5):

• (5.2.1) Scan for copyrighted assets, third-party trademarks
• (5.2.2) If third-party APIs used (YouTube, Spotify, Google Maps), flag TOS compliance check
• (5.2.3) Scan for ytdl-core, media download from YouTube/SoundCloud/Vimeo. Flag AVAssetExportSession on third-party streams
• (5.2.4) Scan strings for "Apple recommended", "Apple approved", "endorsed by Apple"
• (5.2.5) Scan for Apple emoji in binary assets, UI mimicking Apple apps, Activity ring visualizations

Guideline 5.3 — Gaming, Gambling, and Lotteries (5.3.1–5.3.4):

• Scan for: "bet", "wager", "casino", "poker", "lottery", "sweepstakes" in code/strings
• (5.3.1) If sweepstakes/contests → verify developer is the sponsor
• (5.3.2) If sweepstakes/contests → verify official rules presented in-app stating Apple is not sponsor
• (5.3.3) If gambling features → verify no IAP for credits/currency used in gambling
• (5.3.4) If real-money gaming (sports betting, poker, casino, horse racing) → flag: licensing required, geo-restriction, must be free on App Store

Guideline 5.4 — VPN Apps:

• Detect: Native NetworkExtension, NEVPNManager, NETunnelProviderManager | Flutter: flutter_vpn, wireguard_flutter | RN: react-native-vpn
• If found → flag: must use NEVPNManager, org account required, data disclosure before use

Guideline 5.5 — Mobile Device Management:

• Check for MDM entitlements/profiles → flag: commercial/edu/gov entity only

Guideline 5.6 — Developer Code of Conduct:

• Scan for dark patterns: hidden cancel buttons, misleading free trial UI, fake urgency/scarcity strings
• (5.6.3) Scan for review manipulation: automated submissions, bot patterns, review-farming integrations

Step 7: Common Rejection Quick-Check

1. Crashes — Swift force unwraps (!), Dart ! on nullables, JS unhandled rejections
2. Broken Links — Hardcoded URLs, verify HTTPS
3. Incomplete Config — Required Info.plist / app.json keys
4. Missing Privacy Descriptions — All NS*UsageDescription for used permissions
5. No Privacy Policy URL — Search "privacy policy" in code/config
6. Debug Code — print()/console.log(), staging URLs, localhost
7. Hardcoded Credentials — API keys, tokens, .env files
8. Missing Sign in with Apple — When third-party login exists
9. Missing Account Deletion — When account creation exists
10. Missing Privacy Manifest — PrivacyInfo.xcprivacy

Output Format

# App Store Review Compliance Report

## Project Summary
- **App Name:** [name]
- **Bundle ID:** [id]
- **Framework:** [detected framework]
- **Deployment Target:** [version]
- **Platforms:** [iOS/iPadOS/macOS]

## Critical Issues (Will Likely Cause Rejection)

### [CRITICAL] Guideline X.X.X — [Title]
**Issue:** [Description]
**Location:** [File:Line]
**Fix:** [Framework-specific fix]

## Warnings (May Cause Rejection)

### [WARNING] Guideline X.X.X — [Title]
**Issue:** [Description]
**Location:** [File:Line]
**Fix:** [Recommended fix]

## Recommendations (Best Practices)

### [INFO] Guideline X.X.X — [Title]
**Suggestion:** [Description]

## Checklist Summary
- [ ] Project type & framework detected
- [ ] Info.plist / app.json metadata complete
- [ ] App display name ≤ 30 characters
- [ ] No references to other mobile platforms
- [ ] All NS*UsageDescription keys present
- [ ] No hardcoded secrets or API keys
- [ ] App Transport Security configured
- [ ] Privacy manifest present and complete
- [ ] Privacy policy URL in app
- [ ] Data minimization — pickers over full access
- [ ] Sign in with Apple (if third-party login)
- [ ] Account deletion (if account creation)
- [ ] IAP for digital goods
- [ ] Restore Purchases exists (if IAP/subscriptions)
- [ ] Subscription terms before purchase
- [ ] No debug/test code in production
- [ ] No placeholder/TODO content
- [ ] No beta/trial/demo labels
- [ ] No dynamic code loading / hot-patching
- [ ] Background modes match actual usage
- [ ] No ads in extensions/widgets/App Clips
- [ ] ATT implemented (if tracking/ad SDKs)
- [ ] UGC moderation (if UGC exists)
- [ ] Support URL accessible in-app
- [ ] No on-device crypto mining
- [ ] No dark patterns in purchase flows
- [ ] No illegal media downloading

## Final Verdict
READY / NEEDS FIXES / HIGH RISK — with summary

Important Notes

• Be thorough but avoid false positives
• Always reference the specific guideline number
• Provide framework-specific fix suggestions
• If something cannot be determined from code, note as "Manual Check Required"
• Consider app context — a medical app has different requirements than a game
• For cross-platform projects, check BOTH shared code AND iOS native layer