Techniques used by developers to bypass App Store review

Original Article ↗ Hacker News Discussion ↗

Perceived (In)Effectiveness of App Store Review

  • Many see Apple’s review as “security theater”: it blocks some obvious abuses yet lets piracy, scammy subscriptions, and shady apps through.
  • Others argue no review system can be perfect; all security is probabilistic and incomplete.
  • Several note the scale problem: a small reviewer staff handling ~100k apps/week implies only minutes of attention per app.

Common Evasion Techniques

  • Time‑based “logic bombs”: ship a benign version, then unlock hidden behavior (e.g., new navigation paths, file access) days or weeks after approval.
  • Environment detection: geofencing Apple locations, fingerprinting reviewer devices/IPs, or special login codes so reviewers see fake screens while real users see the true behavior.
  • Server‑side flags: apps call home with version/build; backend decides when to enable “secret” features (e.g., alternative payment flows, piracy features) after review passes.
  • Hidden UIs: obscure gestures or codes (e.g., tap logo, enter specific numbers) reveal streaming or piracy functionality.
  • Certificate/IPA gray market and Telegram channels distribute signed apps outside normal review cycles.

Dynamic Code, Webviews, and Feature Flags

  • Apple’s rules allow some interpreted code if it doesn’t change the app’s primary purpose or become a store.
  • Commenters claim most live‑service games and many apps regularly pull down new logic, effectively bypassing review in practice.
  • Feature‑flag systems and webview‑only apps are seen as powerful, semi‑legitimate ways to ship new behavior without re‑review.

Legitimate Developers vs Rule‑Breakers

  • Several developers describe strict enforcement and repeated rejections for compliant apps, while obvious rule‑breakers remain in the store.
  • Support is described as opaque and uninterested in reports of competitors violating rules; bug reporting tools are seen as black holes.

Security, “Theater,” and Enforcement

  • Some argue piracy apps themselves aren’t inherently “malicious,” though others respond that if piracy apps can bypass rules, true malware can too.
  • There is debate on detectability: some say logic‑bomb style tricks are fundamentally unpreventable; others think static analysis could at least flag suspicious server‑gated code, though that risks high false positives.

Power, Profits, and Platform Control

  • A large subthread debates whether Apple’s control and 30% cut are justified by promised safety and curation, or mainly protect profits and entrench a duopoly.
  • Some want DMA‑style regulation and sideloading; others defend the walled garden as an informed user choice and accept its constraints for convenience and perceived safety.