From the PTKD Journal
Field notes on mobile app security.
What we're learning from scanning real APKs and IPAs — the patterns that recur, the controls that hold up, and where the new wave of AI-coded apps is breaking older assumptions.

Latest · App Store
App Store Rejection Guideline 4.3 Spam: Fixing White-Label & Template Apps
Guideline 4.3 spam rejection for a white-label or template app: why it happens, the 4.2.6 account rule, whether design changes are enough, and how to fix it.
Laurens Dauchy · June 30, 2026 · 12 min read
More posts
- App Store11 min
App Store : Pourquoi Votre App est "En Attente d'Examen" Longtemps ?
Pourquoi votre app reste longtemps 'En attente d'examen' sur l'App Store, ce qui détermine votre place dans la file et quand demander un examen accéléré.
Laurens Dauchy · June 30, 2026
- Google Play11 min
How to Remove App from Google Play Console Permanently
Remove an app from Google Play Console: unpublishing vs deleting, whether a published app can be deleted, what happens to existing users, and why ghost apps remain.
Laurens Dauchy · June 30, 2026
- Google Play12 min
Mi Actualización de Google Play está Atorada en Estado "Pendiente"
Actualización de Google Play atorada en Pendiente: qué significa, por qué ocurre, la publicación gestionada, qué revisar y cuándo escalar.
Laurens Dauchy · June 30, 2026
- App Store11 min
TestFlight Status Meanings: Waiting for Review vs Ready to Test
What Waiting for Review and Ready to Test mean in TestFlight, how long each status lasts, whether to wait or resubmit, and when to contact support.
Laurens Dauchy · June 29, 2026
- App Store11 min
How to Delete an Apple Developer Account Completely
There is no one-click delete for an Apple Developer account. Turn off auto-renewal to let the membership lapse, or contact support. Transfer apps first; the fee is not refunded.
Laurens Dauchy · June 29, 2026
- App Store11 min
How Long Does it Take to Get a DUNS Number for Apple?
How long a DUNS number takes for Apple: instant if you have one, up to about five business days via Apple, whether you can expedite it, and what if the lookup fails.
Laurens Dauchy · June 29, 2026
- App Store9 min
テスト中アプリが止まる!TestFlight(90日間)の有効期限と延長策
TestFlightのビルドは最大90日で期限切れになります。直接の延長はできず、新しいビルドで置き換えるのが唯一の方法です。仕組み、状態の早見表、期限切れを防ぐ手順を解説します。
Laurens Dauchy · June 29, 2026
- App Store11 min
¿Apple Aprueba Aplicaciones Fines de Semana y Feriados? (Horarios de Revisión)
¿Apple aprueba apps los fines de semana y feriados? Sí, la revisión sigue activa. Si conviene enviar un viernes, qué feriados afectan y cuándo escalar.
Laurens Dauchy · June 29, 2026
- Security12 min
Preventing Screenshots with FLAG_SECURE on Android (and the iOS Equivalent)
Android FLAG_SECURE blocks screenshots and screen recording; iOS has no direct equivalent. What each platform can do, where both fail, and how to test it.
Laurens Dauchy · June 29, 2026
- Google Play11 min
How Long Does Closed Testing Take on Google Play?
How long closed testing takes on Google Play: the 14-day rule, the 12-tester requirement, internal vs closed testing, and why it often takes longer than two weeks.
Laurens Dauchy · June 29, 2026
- AI-coded apps12 min
NEXT_PUBLIC_SUPABASE_ANON_KEY Exposed in Client
NEXT_PUBLIC_SUPABASE_ANON_KEY in your client bundle is expected and safe with RLS. How the NEXT_PUBLIC_ prefix works and why you must never expose the secret key.
Laurens Dauchy · June 28, 2026
- Builders11 min
Expo EAS Build Stuck on Compressing Project Files
Expo EAS build stuck on compressing project files? The archive is too large. How to use a .easignore, whether your assets are too big, and what to exclude.
Laurens Dauchy · June 28, 2026
- Google Play12 min
New Developer Rule: Passing the Google Play 14-Day Closed Test
Google Play's 14-day closed test needs 12 testers opted in for 14 continuous days. You can't bypass or speed it up, and time to publish is the 14 days plus review.
Laurens Dauchy · June 28, 2026
- Google Play12 min
How to Un-Suspend Google Play Developer Account
The only way to un-suspend a Google Play developer account is to appeal. When appeals work, why a new LLC to evade a termination fails, and the 180-day deadline.
Laurens Dauchy · June 27, 2026
- Android12 min
Android Deep Link Security Vulnerabilities Explained
Android deep link vulnerabilities: unverified custom schemes can be hijacked by another app, and link input is untrusted. App Links and validation are the fixes.
Laurens Dauchy · June 27, 2026
- Google Play12 min
Why Isn't My Google Play App Update Showing in Store?
Play Console says Published but the update is not showing? It takes hours to propagate and the Play Store caches listings. Staged rollout and refresh explained.
Laurens Dauchy · June 27, 2026
- App Store11 min
Metadatos Connect: ¿Es la URL de Soporte Obligatoria en el App Store?
¿Es obligatoria la URL de soporte en App Store Connect? Sí. Qué debe contener, en qué se diferencia de la de marketing y privacidad, y cómo evitar un rechazo.
Laurens Dauchy · June 27, 2026
- Google Play12 min
How to Speed Up Google Play Review Times
You can't expedite a Google Play review, but you can avoid what slows it down. Clean metadata, minimal permissions, and passing first time keep review time short.
Laurens Dauchy · June 27, 2026
- Security10 min
A Chave Pública
A chave pública é a metade partilhável de um par de chaves. Saiba o que faz, como difere da privada e porque é segura para incorporar numa app.
Laurens Dauchy · June 27, 2026
- AI-coded apps13 min
How to Fix Exposed API Keys in Android Apps
Exposed an API key in your Android app? Rotate it now, because APKs decompile. Why BuildConfig won't hide it, and how a backend proxy actually fixes it.
Laurens Dauchy · June 26, 2026
- AI-coded apps12 min
How to Stop Cursor AI from Hardcoding API Keys to GitHub
Stop Cursor AI hardcoding API keys to GitHub: .env configuration and prevention layers, and if a key leaked, rotate first then purge history with BFG Repo Cleaner.
Laurens Dauchy · June 26, 2026
- Google Play11 min
Google Play Console Review-Dauer (Wie Lange Dauert Ein Update?)
Wie lange ein Google-Play-Update dauert, wie viel Puffer du einplanen solltest, was die Prüfung verlangsamt und wann du den Support kontaktierst.
Laurens Dauchy · June 26, 2026
- App Store11 min
Apple Tax and Banking Status: Active vs Pending
Apple App Store Connect tax and banking Active vs Pending: what each means, the US tax forms required, how long bank verification takes, and why it stays Pending.
Laurens Dauchy · June 26, 2026
- App Store11 min
TestFlight External Testing Waiting for Review: How Long?
How long TestFlight external testing stays in Waiting for Review, whether external needs a full review, and whether you can skip it (internal testers can).
Laurens Dauchy · June 26, 2026
- App Store10 min
App Storeの「審査中」が長い!理由と早める対処法(2026版)
App Storeの「審査中」が長い理由と、普通どれくらいかかるか、審査を早める方法、再提出の影響、そして遅いときの対処法とサポート連絡の目安をまとめます。
Laurens Dauchy · June 26, 2026
- App Store11 min
What Does "In Review" Mean in App Store Connect?
What In review means in App Store Connect: whether a human is testing your app, how long the status lasts, how it differs from Waiting for Review, and what to do.
Laurens Dauchy · June 26, 2026
- Security13 min
Bypass SSL Pinning Android (Frida + Objection)
SSL pinning on Android is bypassable on a rooted device. What Objection is, the authorized test setup, why client-side pinning fails, and how to harden it.
Laurens Dauchy · June 26, 2026
- App Store11 min
What is the App Store Connect Copyright Field?
The App Store Connect copyright field explained: what format to use, what not to include, and whether it affects App Store review.
Laurens Dauchy · June 26, 2026
- App Store12 min
Revisión de Apple en Fin de Semana: ¿Aprueban Apps los Sábados?
¿Apple aprueba apps los fines de semana? Sí: la App Review funciona los siete días. Qué esperar el sábado, si es más lento, los festivos y cuándo escalar.
Laurens Dauchy · June 26, 2026
- Security12 min
Android Root Detection Bypass Without Magisk
Bypass Android root detection without Magisk: Frida hooks, Xposed/LSPosed modules, and APK patching all defeat client checks. The durable fix is Play Integrity.
Laurens Dauchy · June 25, 2026
- App Store13 min
How to Fix Guideline 5.1.1 Data Collection & Storage
A 5.1.1 rejection can mean several things. How to identify which sub-issue you hit, from purpose strings to account deletion, labels, and ATT, and fix that one.
Laurens Dauchy · June 25, 2026
- App Store12 min
TestFlight Processing Taking Too Long? (Status Checker & Fixes)
TestFlight processing taking too long? How long it should take, whether a missing Info.plist key causes a hang, how to check status, and when to re-upload.
Laurens Dauchy · June 25, 2026
- App Store10 min
L'App Store Connect prend-il en compte la review le week-end en 2026?
Oui, App Store Connect examine les apps tous les jours, week-ends compris. Apple examine 90% des envois en moins de 24 heures, sans jour d'arrêt.
Laurens Dauchy · June 25, 2026
- Security12 min
Guía de Permisos Peligrosos en Android (Android Dangerous Permissions)
Cómo funcionan los permisos peligrosos de Android, dónde fallan, cómo probarlos de forma segura y qué controles de OWASP MASVS aplican, con guía de remediación.
Laurens Dauchy · June 25, 2026
- Google Play12 min
Google Play App Update Stuck 'Under Review' (Developer Fixes)
Google Play update stuck under review? Whether a standard update takes 24 hours, if closed testing slowed it, how policy changes hold updates, and the fixes.
Laurens Dauchy · June 24, 2026
- AI-coded apps11 min
Supabase Service Role Key Exposed: Immediate Fix Guide
An exposed Supabase service_role key is a full database breach because it bypasses Row Level Security. How to rotate it now, assess the leak, and stop it recurring.
Laurens Dauchy · June 24, 2026
- App Store11 min
TestFlight Invite Code Not Working (Troubleshooting)
A TestFlight invite code that won't work is almost always an Apple ID mismatch or an already-redeemed or expired code. Sign in with the invited Apple ID or get a new one.
Laurens Dauchy · June 24, 2026
- Google Play11 min
Google Play Console: Die Echte "Review-Dauer" Für App Updates 2026
Wie lange die Google-Play-Prüfung für App-Updates 2026 wirklich dauert, was sie verlangsamt, ob ein erneuter Upload zurücksetzt und wann du den Support kontaktierst.
Laurens Dauchy · June 23, 2026
- Security13 min
Bypass Screenshot Defenses: Can Attackers Defeat View Once APIs?
Can attackers defeat view-once and screenshot defenses? FLAG_SECURE blocks mirroring but not a camera or root. Why ephemeral content is a deterrent, not a guarantee.
Laurens Dauchy · June 22, 2026
- App Store12 min
Fastlane Timeout: What To Do When IPA Uploads Stuck in Processing
Fastlane IPA upload stuck in Processing: what the status means, how long it should take, whether to wait or resubmit, and the exact steps to unblock it.
Laurens Dauchy · June 22, 2026
- AI-coded apps12 min
Lovable App Security: Fixing the Exposed Supabase Service Role Key
How to fix an exposed Supabase service_role key in a Lovable app: rotate it, move it to a server-side Edge Function, enforce RLS, and verify the fix.
Laurens Dauchy · June 22, 2026
- App Store12 min
Can You Speed Up App Store Review? (Expedited Requests)
Can you speed up App Store review? Yes, via an expedited request. What qualifies, whether critical bug fixes count, what does not, and how to request it.
Laurens Dauchy · June 22, 2026
- Security13 min
Seguridad en Apps: Pineado de Certificados y Estándares OWASP MASVS vs MASTG
Pineado de certificados y OWASP: la diferencia entre MASVS y MASTG, qué control aplica, condiciones de bypass, cómo probarlo de forma segura y la remediación.
Laurens Dauchy · June 22, 2026
- Google Play12 min
Fixing the Google Play "Changes Are Being Reviewed" Stuck Loop
Google Play stuck on Changes are being reviewed: why it stalls on testing tracks, the Managed publishing gotcha, and whether pushing an update overwrites it.
Laurens Dauchy · June 22, 2026
- App Store12 min
TestFlight Says No Builds Available (But I Uploaded One)
TestFlight says no builds available after uploading? Usually the build is still processing, has missing export compliance, or is not assigned. Not a 24-hour wait.
Laurens Dauchy · June 21, 2026
- App Store10 min
TestFlight goedkeuring tijd
De TestFlight-goedkeuringstijd hangt af van de tester: interne testers slaan de review over, externe testers wachten voor de eerste build rond 24 uur.
Laurens Dauchy · June 21, 2026
- Security12 min
How to Decompile APK to Java Source Code
How to decompile an APK to Java: jadx vs dex2jar, what ProGuard and R8 obfuscation actually do, what decompiling reveals, and how to protect your own app.
Laurens Dauchy · June 21, 2026
- Google Play11 min
Google Play 12 Testers Requirement Exceptions (Formerly 20)
Google Plays closed-testing rule (now 12 testers, 14 days, down from 20) applies only to personal accounts made after Nov 13, 2023. Org and older accounts are exempt.
Laurens Dauchy · June 21, 2026
- Google Play12 min
Why Managed Google Play Apps Stay Stuck on Pending
Managed Google Play apps stuck on Pending: whether the device network is restricted, what causes MDM Play Store blockages, compliance holds, and how to fix each.
Laurens Dauchy · June 21, 2026
- Security13 min
How to Fix Unsafe Cryptographic Encryption in Android
Google Play flagged unsafe cryptographic encryption? It's usually AES/ECB. Switch to authenticated AES/GCM with a random nonce, SecureRandom, and the Keystore.
Laurens Dauchy · June 21, 2026
- Google Play12 min
Google Play Identity Verification Failed: How to Fix
Google Play identity verification failed? Usually it's an unreadable photo, an unsupported document, or a D-U-N-S mismatch. How to fix each and resubmit.
Laurens Dauchy · June 21, 2026
- App Store12 min
Does TestFlight Review Apps on Weekends?
Yes, TestFlight's Beta App Review runs on weekends, but only external testing is reviewed and weekends can be slower. Internal testing needs no review at all.
Laurens Dauchy · June 21, 2026
- App Store11 min
App Store Pricing Schedule Pending Meaning
App Store pricing schedule pending means a price change is scheduled but not yet applied, waiting for its start date or propagating up to 24 hours. It is normal.
Laurens Dauchy · June 20, 2026
- AI-coded apps12 min
Is Row Level Security Necessary in Supabase?
Yes, Row Level Security is necessary for any Supabase table your app can reach. Without it, the public anon key can read, change, and delete all your data.
Laurens Dauchy · June 20, 2026
- App Store12 min
Does Apple Ban Your Account for 4.3 Spam?
Does a 4.3 spam rejection ban your Apple Developer account? What guideline 4.3 means, when your account is actually at risk, and how to fix or appeal it.
Laurens Dauchy · June 20, 2026
- App Store12 min
TestFlight Verarbeitung Dauert Extrem Lange: 4 Sofort-Lösungen
TestFlight-Verarbeitung dauert extrem lange? Prüfen Sie zuerst den Apple System Status, und laden Sie bei echtem Feststecken eine neue Build-Nummer hoch.
Laurens Dauchy · June 19, 2026
- App Store11 min
'Developer Action Required' on App Store Subscriptions & In-App Purchases
Developer Action Required on an in-app purchase means Missing Metadata: usually a missing review screenshot, localized description, or expired Paid Apps agreement.
Laurens Dauchy · June 19, 2026
- App Store12 min
How to Downgrade an App Version in App Store Connect
You cannot directly downgrade a version in App Store Connect. The fix: ship a higher-numbered build with old code, expedite it, and pause the phased release.
Laurens Dauchy · June 18, 2026
- App Store12 min
App Store Rejection 4.3 Spam: How to Fix (Especially AI Apps)
App Store Guideline 4.3 spam rejection, especially for AI apps: what it means, whether you must change the UI, if your account is safe, and how to fix or appeal.
Laurens Dauchy · June 18, 2026
- App Store11 min
How to Bypass TestFlight 90 Day Limit
You cannot extend a TestFlight build past 90 days; Apple expires it by design. Automate fresh uploads with Fastlane, or use Apple Business Manager custom apps long-term.
Laurens Dauchy · June 18, 2026
- Google Play11 min
How Long Does Production Review Take? (Google Play)
How long Google Play production review takes: hours to days for an established app, up to about seven days for a first release, and whether closed testing helps.
Laurens Dauchy · June 18, 2026
- AI-coded apps12 min
Lovable & Low-Code Vulnerabilities: How Bots Exploit Exposed Supabase Keys
Which Supabase key exposure matters in Lovable and low-code apps, what bots do with a leaked service_role key or missing RLS, and how to rotate and fix it.
Laurens Dauchy · June 18, 2026
- App Store11 min
TestFlight Confusions: External Pending Review vs Ready to Test Explained
The difference between Waiting for Review and Ready to Test in TestFlight, why your external build is stuck, and the exact steps to move it forward.
Laurens Dauchy · June 17, 2026
- OWASP MASVS12 min
OWASP MASVS: Best Mobile Vulnerability Scanners
The best OWASP MASVS mobile vulnerability scanners compared: MobSF, instrumentation, commercial suites, and build scanners, plus static vs dynamic and how to choose.
Laurens Dauchy · June 17, 2026
- Google Play12 min
Google Play Update Rejected But Old Version Still Available
Google Play rejected your update but the old version is still live? The rejection did not remove your app. When you must act fast and whether you'll be banned.
Laurens Dauchy · June 17, 2026
- Android12 min
How to Fix Insecure Data Storage in Android
Fix insecure data storage in Android: store secrets server-side, encrypt with a Keystore key, use internal storage. Plus why plain SharedPreferences is unsafe.
Laurens Dauchy · June 17, 2026
- App Store11 min
App Store Review Taking Too Long? (Why & How to Fix)
How long App Store review normally takes, why yours is slow, whether you can expedite it, if resubmitting restarts the clock, and when to contact Apple.
Laurens Dauchy · June 17, 2026
- Security12 min
Android Runtime Permissions (Official Docs Simplified)
Android runtime permissions explained: manifest vs runtime, protection levels, the dangerous permissions list, how to request them, and how to handle denial.
Laurens Dauchy · June 17, 2026
- App Store11 min
Why Does App Store Connect Say Prepare for Submission?
Prepare for Submission is the editable draft state of a version you haven't submitted yet. It doesn't mean review failed. Add a build and metadata, then submit.
Laurens Dauchy · June 16, 2026
- App Store12 min
How to Fix Error ITMS-90034: Missing or Invalid Signature
Fix ITMS-90034 missing or invalid signature: check for an expired certificate, a provisioning profile mismatch, or the wrong certificate type, then re-sign.
Laurens Dauchy · June 16, 2026
- Security11 min
Insecure Firebase Database: How Mobile Scanners Read Rules
An insecure Firebase database flag means open rules (allow read, write: if true), not an exposed URL. Scanners test the database directly. Fix the rules, not the URL.
Laurens Dauchy · June 16, 2026
- Google Play12 min
How Long Does Google Play Identity Verification Take?
How long Google Play identity verification takes, why a D-U-N-S number is the long pole for organizations, why it fails, and how to fix a mismatch.
Laurens Dauchy · June 16, 2026
- Google Play12 min
Google Play Target API Level Requirements 2026
Google Play requires new apps and updates to target Android 15 (API 35) since Aug 31, 2025. Where to set it, Android 14's role, and how to get an extension.
Laurens Dauchy · June 16, 2026
- AI-coded apps12 min
Is it Safe to Put Firebase Config in React Native?
Yes, the Firebase config (apiKey included) is safe in React Native: it is an identifier, not a secret. Security Rules protect your data, not hiding the config.
Laurens Dauchy · June 15, 2026
- Google Play12 min
Google Play "Changes Are Being Reviewed": Wait or Resubmit?
Google Play frozen on Changes are being reviewed: what it means, how long is normal, whether to wait or resubmit, unblock steps, and when to contact support.
Laurens Dauchy · June 15, 2026
- App Store11 min
Promotional Text vs Description (App Store Connect)
Promotional text vs description in App Store Connect: which is indexed for search, which you can change without an app update, their limits, and when to use each.
Laurens Dauchy · June 15, 2026
- Google Play13 min
Google Play Console Suspension Appeal Template
A Google Play suspension appeal template plus what to say to reviewers and whether to admit fault. Be specific, factual, and submit one clear appeal.
Laurens Dauchy · June 14, 2026
- App Store11 min
Is App Store Connect EU Trader Status Required?
App Store Connect EU trader status under the DSA: who needs it, whether your phone number is shown publicly, what happens if you skip it, and how to set it.
Laurens Dauchy · June 14, 2026
- App Store10 min
TestFlight Atascado en "Esperando Revisión" (Causas y Solución)
Qué significa 'Esperando revisión' en TestFlight, cuánto es normal esperar, por qué se atasca, si reenviar ayuda y cuándo escalar con Apple.
Laurens Dauchy · June 14, 2026
- AI-coded apps12 min
Lovable App Supabase RLS Bypass (CVE-2025-48757 Fix)
CVE-2025-48757 exposed 170+ Lovable apps through missing Supabase RLS. Which keys are safe, the (select auth.uid()) trap, and the exact steps to patch and verify.
Laurens Dauchy · June 14, 2026
- iOS12 min
iOS Screenshot Prevention in SwiftUI (Is it Possible?)
Can you prevent screenshots in SwiftUI? iOS has no prevention API. The secure text entry workaround, ScreenShieldKit, detection, and their limits for DRM apps.
Laurens Dauchy · June 13, 2026
- App Store11 min
How to Fix Guideline 4.2 (Design: Minimum Functionality)
How to fix an App Store Guideline 4.2 (Minimum Functionality) rejection: why webview and thin apps get rejected, and how to add native features and lasting value.
Laurens Dauchy · June 13, 2026
- Google Play12 min
Android Keystore Corrupted: How to Recover
A corrupted Android keystore is integrity-protected, so hex fixes fail. Restore an intact .jks from backup or CI, or reset the upload key via Play App Signing.
Laurens Dauchy · June 12, 2026
- Google Play11 min
What Happens If You Don't Update Target API Level?
Not updating your Google Play target API level won't remove your app, and current users keep it. But you can't publish updates and lose new users on newer devices.
Laurens Dauchy · June 12, 2026
- Google Play11 min
Google Play: Por qué Tu App Quedó Semanas “Pendiente” (Guía Rápida)
Tu app lleva semanas 'pendiente' en Google Play. Qué significa, cómo influye la antigüedad de la cuenta, qué puedes hacer manualmente y cuándo contactar a soporte.
Laurens Dauchy · June 12, 2026
- Google Play12 min
How to Appeal Google Play Developer Account Termination
How to appeal a Google Play account termination: what to write in the form, whether human reviewers read it, what improves your chances, and how to set expectations.
Laurens Dauchy · June 12, 2026
- App Store11 min
App Store Connect Screenshots Upload Failed (Dimensions)
App Store Connect screenshot upload failing? The usual causes are an alpha channel and wrong exact pixel dimensions. Flatten the image and match the size.
Laurens Dauchy · June 12, 2026
- AI-coded apps12 min
How to Run a Bolt.new App Security Scan
How to run a security scan on a Bolt.new app: the common vulnerabilities, checking security headers and CORS, and the tool categories that cover the whole app.
Laurens Dauchy · June 12, 2026
- AI-coded apps12 min
Replit App Exposed Database: How to Secure It
Replit app exposed its database? Why a .env in a public repl is not private, how to use Replit Secrets, set up RLS, and rotate exposed credentials.
Laurens Dauchy · June 12, 2026
- Builders12 min
Is Supabase Safe for Enterprise Apps? (Security Audit)
Yes, Supabase is enterprise-safe when configured right: SOC 2 Type 2 certified, HIPAA compliant with a BAA, Postgres-based. RLS is enough if enabled on every table.
Laurens Dauchy · June 12, 2026
- App Store11 min
Revisión en App Store: ¿Apple Aprueba Apps los Fines de Semana?
¿Apple revisa y aprueba apps los fines de semana? Sí, la revisión funciona a diario. Cuánto tarda, la única excepción real y qué hacer si se alarga.
Laurens Dauchy · June 11, 2026
- Google Play11 min
What Does "In Review" Status Mean on Google Play?
What In review means on Google Play: whether a human or a bot reviews your app, how long it takes, how it compares to other statuses, and what to do while you wait.
Laurens Dauchy · June 11, 2026
- App Store11 min
How to Fix a "Metadata Rejected" Status in App Store Connect
Fix a Metadata Rejected status in App Store Connect: why you do not re-upload the binary, what screenshots and text trigger it, and how to correct and resubmit.
Laurens Dauchy · June 11, 2026
- Google Play12 min
How Long Does Google Play Review Take? (2026 Timeline)
How long Google Play review takes in 2026 by scenario: updates vs first submissions, new vs established accounts, testing tracks, and what slows it down.
Laurens Dauchy · June 11, 2026
- Security12 min
How to Prevent Android Screenshots using FLAG_SECURE
How FLAG_SECURE blocks Android screenshots and screen recording, whether it still works on Android 14+, where it fails, and how to test and remediate it.
Laurens Dauchy · June 11, 2026
- App Store11 min
How Long Does an Apple Developer Account Investigation Take?
How long an Apple Developer account investigation takes, why it happens, whether you can appeal, and what to do and avoid while Apple reviews your account.
Laurens Dauchy · June 11, 2026
- Google Play13 min
Google Play Protect False Positive Malware Appeal Guide
Play Protect flagged your legitimate app as malware? Find the trigger, usually a third-party SDK, remove it, and appeal the false positive with a clean build.
Laurens Dauchy · June 11, 2026
- Google Play12 min
How to Bypass Google Play 20 Testers (Is it Possible?)
Can you bypass Google Play's testers requirement? Not for personal accounts, but an organization account is a legitimate route. Faking testers risks a ban.
Laurens Dauchy · June 10, 2026
- App Store10 min
L'App Update App Store bloqué pendant 48 heures: Action de développeur requise
Action de développeur requise veut dire qu'Apple attend une action de vous, pas l'inverse. Le statut ne se débloque pas en attendant: corrigez et renvoyez.
Laurens Dauchy · June 10, 2026
- Google Play12 min
App Signing Failed Google Play Console (Fixes)
App signing failed in Google Play Console usually means a toolchain mistake: run zipalign before apksigner, and sign with apksigner (v2+), not jarsigner (v1 only).
Laurens Dauchy · June 10, 2026
- Google Play12 min
Does Google Play Review Apps on Weekends?
Does Google Play review apps on weekends? Yes, automated review runs continuously. When human review and holidays add delay, and when to escalate.
Laurens Dauchy · June 9, 2026
- Builders12 min
Is Firebase More Secure Than Supabase? (Security Rules vs RLS)
Neither Firebase nor Supabase is inherently more secure; both are breached by leaving the database open. Firebase Security Rules and Supabase RLS compared.
Laurens Dauchy · June 9, 2026
- Google Play12 min
How Long Does Open Testing Approval Take in the Play Console?
How long open testing approval takes in the Play Console: usually hours to 7 days, why new accounts need production access first, and when to escalate.
Laurens Dauchy · June 9, 2026
- App Store12 min
How Long Does Apple Tax and Banking Review Take?
Apple tax and banking setup is usually processed within about a day, not a long review. Typical timing, W-8BEN forms, Active vs Pending, and when to escalate.
Laurens Dauchy · June 9, 2026
- Google Play11 min
Google Play: Solución Para Actualizaciones "Atascadas en Revisión"
Tu actualización lleva días o semanas atascada en revisión en Google Play. Qué significa, cuándo es demasiado, si esperar o reenviar, y los pasos para desatascarla.
Laurens Dauchy · June 9, 2026
- Security13 min
Is React Native Secure for Banking Apps?
Is React Native secure for banking apps? Yes, with native modules for sensitive work, secrets kept out of the JS bundle, JSI care, and OWASP MASVS compliance.
Laurens Dauchy · June 9, 2026
- Google Play12 min
Google Play Console App Signing Key Lost (Recovery)
Lost your Google Play signing key? A lost upload key is recoverable with a reset; a lost app signing key with no Play App Signing is not. How to tell and recover.
Laurens Dauchy · June 9, 2026
- App Store11 min
What Does "Pending Developer Release" Mean?
Pending Developer Release means your app is approved and waiting for you to release it manually. It will not auto-launch, and it stays pending until you release it.
Laurens Dauchy · June 8, 2026
- AI-coded apps12 min
Unsafe Metadata Exposed in Low-Code / Clerk AI App Deployments
Clerk unsafeMetadata is client-writable, so gating paid tiers or roles on it lets users self-promote. Move authorization to publicMetadata, enforce it server-side.
Laurens Dauchy · June 8, 2026
- Google Play12 min
Can I Buy 20 Testers for Google Play? (Risks & Rules)
Can you buy testers for Google Play? The requirement is now 12 for 14 days, and fake testers risk your account. Here are the rules and safer options.
Laurens Dauchy · June 8, 2026
- AI-coded apps12 min
Can ChatGPT Write Secure Android Code? (Security Audit)
ChatGPT writes working Android code but not reliably secure code: it reproduces weak crypto, hardcoded keys, and outdated dependencies. Audit its output against OWASP MASVS.
Laurens Dauchy · June 7, 2026
- Builders12 min
How to Migrate from Firebase to Supabase
Migrating Firebase to Supabase moves data, auth users, storage, and rules. Port users with their passwords; rewrite Firebase Rules as RLS, enabled before import.
Laurens Dauchy · June 7, 2026
- App Store12 min
TestFlight: Waiting for Review vs Ready to Test (Public Link & Approval)
Waiting for Review vs Ready to Test in TestFlight: why your public link is inactive, why external builds trigger a review, and whether Ready means approved.
Laurens Dauchy · June 6, 2026
- App Store10 min
審査待ち:2026年のTestFlight(テストフライト)外部テスト承認はどれくらいかかりますか?
TestFlight外部テストの承認は、新しいバージョンの最初のビルドでおおむね24時間。内部テスターは審査が不要で処理後すぐ配信できます。
Laurens Dauchy · June 6, 2026
- AI-coded apps13 min
Lovable App Leaked Users Data (CVE-2025-48757)
The Lovable data leak (CVE-2025-48757): what caused it, why the exposed anon key was not the bug, how to patch Row Level Security, and how to check if you are affected.
Laurens Dauchy · June 6, 2026
- App Store11 min
App Store : Pourquoi Votre App est "En Attente d'Examen" Longtemps ?
Votre app reste bloquée 'En attente d'examen' sur l'App Store: comment distinguer une attente normale d'un vrai blocage, ce qui le cause et comment le débloquer.
Laurens Dauchy · June 6, 2026
- OWASP MASVS13 min
OWASP MASVS Level 2 Requirements Checklist
OWASP MASVS Level 2 is defense-in-depth for sensitive apps. What it requires, how v2.0 restructured the levels, hardware-backed keystores, and root detection.
Laurens Dauchy · June 5, 2026
- Google Play12 min
Google Play Closed Testing Opt-In Link Not Working (Fixes)
Google Play closed testing opt-in link returning a 404? It usually means the account is not a recognized tester or the change hasn't synced. Causes and fixes.
Laurens Dauchy · June 5, 2026
- AI-coded apps12 min
Vulnerabilidad IA: Cómo Agregar Row Level Security a tu App en Lovable
Cómo añadir Row Level Security a tu app de Lovable: activa RLS en cada tabla, escribe políticas por usuario con auth.uid() y verifica la clave anon.
Laurens Dauchy · June 5, 2026
- AI-coded apps12 min
Is Supabase Publishable Key Safe to Expose?
Is the Supabase publishable (anon) key safe to expose? Yes, but only with Row Level Security enabled. What it does, whether users can delete data, and the RLS caveat.
Laurens Dauchy · June 5, 2026
- App Store10 min
Revisione in corso app store: tempi di attesa 2026?
Revisione in corso vuol dire che un revisore Apple sta esaminando l'app. Nel 2026 il 90% è esaminato in meno di 24 ore, ma non c'è un tempo garantito.
Laurens Dauchy · June 5, 2026
- App Store11 min
How Long Does TestFlight Review Take? (Internal vs External)
How long TestFlight review takes for internal vs external testers, why the first build is slower than updates, and how to avoid losing a review cycle.
Laurens Dauchy · June 5, 2026
- Google Play11 min
Aplicativo em Revisão na Google Play Demorando Muito? (Como Resolver)
Seu aplicativo está em revisão na Google Play e demorando muito. O que significa, quanto tempo é normal, se vale esperar ou reenviar, e os passos para destravar.
Laurens Dauchy · June 4, 2026
- App Store12 min
App Store Connect Transporter Error: Master Fix Guide
What causes App Store Connect Transporter errors, how to fix network timeouts, authentication failures, and ITMS package errors, and what iTMSTransporter is.
Laurens Dauchy · June 4, 2026
- AI-coded apps12 min
Lovable App Row Level Security Vulnerabilities
Lovable apps shipped with Supabase Row Level Security off by default (CVE-2025-48757), exposing 170+ databases. How to audit, contain, and fix yours.
Laurens Dauchy · June 4, 2026
- Security12 min
Clés API Exposées en Frontend : Dangers et Solutions pour Apps Mobiles
Pourquoi une clé API exposée dans le front-end d'une app mobile n'est jamais secrète, les dangers concrets, et comment protéger vos clés en React Native et Expo.
Laurens Dauchy · June 4, 2026
- Google Play12 min
App Status Frozen? Managing Google Play Verification Freezes
Google Play verification freeze: what it means, how long it lasts, whether to wait or resubmit, the exact steps to unblock it, and when to contact support.
Laurens Dauchy · June 3, 2026
- AI-coded apps12 min
Can ChatGPT Safely Generate Supabase RLS Policies?
ChatGPT writes valid Supabase RLS policies but not reliably secure ones: watch for open policies, logged-in-only auth.uid() checks, and a missing WITH CHECK. Test them.
Laurens Dauchy · June 3, 2026
- App Store11 min
Is the App Store Connect Marketing URL Required?
Is the App Store Connect marketing URL required? No, it is optional. What it is used for, whether you can use your homepage, and how it differs from required URLs.
Laurens Dauchy · June 3, 2026
- Security13 min
Top iOS App Jailbreak Detection Bypass Tools
iOS jailbreak detection runs on the device, so tweaks like Liberty Lite and tools like Frida can bypass it. Understand the limit and defend with App Attest.
Laurens Dauchy · June 2, 2026
- App Store13 min
"Bundle-ID ist bereits vergeben": So Beheben Sie den Fehler
Der Fehler Bundle-ID ist bereits vergeben in App Store Connect: was er bedeutet, warum er auftritt, was Sie zuerst prüfen und wann eine Eskalation nötig ist.
Laurens Dauchy · June 2, 2026
- Security12 min
React Native SSL Pinning Bypass (Frida Tutorial)
How to test React Native SSL pinning on your own app with Frida, where pinning lives in an RN app, why it can be bypassed, and how to harden it responsibly.
Laurens Dauchy · June 2, 2026
- AI-coded apps12 min
Supabase RLS Disabled Warning: How to Fix Promptly
The Supabase RLS disabled warning means a public table is open to your anon key. Enable Row Level Security, add user-scoped policies, and fix every flagged table.
Laurens Dauchy · June 2, 2026
- OWASP MASVS13 min
OWASP MASVS: Mobile Security Testing Checklist (2026)
How to run an OWASP MASVS mobile security testing checklist across the eight control groups, from data storage and cryptography checks to resilience, with the MASTG.
Laurens Dauchy · June 2, 2026
- Security12 min
React Native SSL Pinning Bypass (Android)
React Native pins at the native OkHttp layer on Android, so a bypass hooks that check, not your JS. Where pinning lives, how to test it, and server-side trust.
Laurens Dauchy · June 2, 2026
- Google Play12 min
Google Play Console App Not Appearing in Store
App published in Google Play Console but not appearing in the store? It's usually a search indexing delay or device compatibility filtering. Causes and fixes.
Laurens Dauchy · June 1, 2026
- Google Play12 min
Google Play Fix: "Privacy Policy Link Invalid" Update Rejections
Google Play rejecting your update for an invalid privacy policy link? Why it happens, what a valid URL needs, and how to fix it in Play Console.
Laurens Dauchy · June 1, 2026
- App Store12 min
TestFlight Export Compliance: Uses Non-Exempt Encryption
TestFlight export compliance: which Info.plist key to use (ITSAppUsesNonExemptEncryption), whether you qualify for the exemption, and how French rules apply.
Laurens Dauchy · June 1, 2026
- AI-coded apps12 min
Vibe Coding App Security Scanners (Top Tools)
Security scanners for vibe-coded apps: what to scan for, why RLS and security headers matter most, and the tool categories that together cover a whole app.
Laurens Dauchy · June 1, 2026
- Builders12 min
EAS Build Android Failed to Assemble (Expo Fix)
EAS Build Android failed to assemble: read the Gradle log, then fix the real cause, whether an OutOfMemoryError, a Gradle version mismatch, or broken node modules.
Laurens Dauchy · June 1, 2026
- Security13 min
iOS Certificate Pinning Bypass (Frida & Objection)
iOS certificate pinning runs on the device, so Objection, Frida, or SSL Kill Switch can bypass it. Test your own app and anchor real trust server-side.
Laurens Dauchy · May 31, 2026
- App Store11 min
TestFlight Build Stuck in Processing: How to Clear It
Why your TestFlight build is stuck in processing and how to clear it: check for an error email, provide export compliance, and re-upload with a new build number.
Laurens Dauchy · May 31, 2026
- App Store11 min
TestFlightの90日間の有効期限が切れた場合と延長方法
TestFlightのビルドは90日で期限切れになります。延長はできず、テストを続けるには新しいビルドをアップロードします。原因と最初にすべき対応を解説します。
Laurens Dauchy · May 31, 2026
- App Store11 min
Apple Beta Docs: Testflight Interner Test VS Externer Test
Interner vs. externer TestFlight-Test: der Kernunterschied, wann du welchen wählst, wie lange die Freigabe dauert und wie du typische Fehler vermeidest.
Laurens Dauchy · May 31, 2026
- AI-coded apps10 min
AIノーコード(Low-Code)生成モバイルアプリのFirebase JWTエラー回避方法
AI生成アプリのFirebase JWTエラーを回避する要点。getIdTokenで毎回新しいトークンを送り、Admin SDKで必ず検証します。
Laurens Dauchy · May 30, 2026
- Security12 min
Android WebView addJavascriptInterface Security Risks
Android WebView addJavascriptInterface risks: how the reflection-to-RCE exploit worked, the API 17 @JavascriptInterface fix, and how to remediate it.
Laurens Dauchy · May 30, 2026
- App Store12 min
Transporter Transfer Failed: App-Specific Password Error
Transporter transfer failed on an app-specific password? Why two-factor accounts need one, how to generate it, the Fastlane env var, and the API key option.
Laurens Dauchy · May 30, 2026
- iOS11 min
iOS Distribution Certificate Expired: Renew Guide
You can't renew an expired iOS distribution certificate; create a new one and regenerate profiles. App Store apps keep working; enterprise and ad hoc builds break.
Laurens Dauchy · May 30, 2026
- App Store11 min
Can Two Apps Have the Same Name in the iOS App Store?
No, App Store names are globally unique and case-only variants are blocked. But subtitles can duplicate, and inactive accounts can squat a name you cannot reclaim.
Laurens Dauchy · May 30, 2026
- AI-coded apps12 min
Vibe-Coding Risks: Leaking API Keys via bolt.new Client Architecture
Why bolt.new and vibe-coding can leak API keys via client-side code, which secrets are dangerous, how to rotate and contain them, and how RLS changes the risk.
Laurens Dauchy · May 30, 2026
- Google Play12 min
Google Play Console Developer Registration Fee Refund
Is the $25 Google Play developer registration fee refundable? It's a one-time, mostly non-refundable charge. When Google refunds, when it won't, and how to ask.
Laurens Dauchy · May 30, 2026
- Google Play12 min
App Rejected on Google Play: Policy Fixes
App rejected on Google Play under a policy? Impersonation means fix your branding; an IP rejection means remove content or prove rights. Plus how to appeal.
Laurens Dauchy · May 30, 2026
- App Store11 min
How to Contact the Apple App Store Review Team
How to contact the Apple App Store review team: Resolution Center, the Contact Us form, the App Review Board, and expedited review, and when to use each.
Laurens Dauchy · May 29, 2026
- AI-coded apps11 min
Supabase Anon Key vs Service Role Key Explained
Supabase anon key vs service_role key: the anon key is public and RLS-limited, so it goes in the frontend; the service_role key bypasses RLS and stays server-side.
Laurens Dauchy · May 29, 2026
- App Store11 min
¿Cuánto Tarda en Revisarse una App en App Store en 2026?
Cuánto tarda en revisarse una app en la App Store en 2026, según sea una app nueva, una actualización o un cambio de metadatos, y qué hacer si se alarga.
Laurens Dauchy · May 28, 2026
- Android11 min
Generate Android App Bundle (.aab) vs APK
An APK is the installable Android package; an AAB is a Play publishing format that generates per-device APKs. Play requires AAB for new apps; test an AAB with bundletool.
Laurens Dauchy · May 28, 2026
- Security13 min
How to Bypass RootBeer Root Detection
RootBeer runs on the device, so its root checks can be overridden with Frida or Objection. Understand the limit and remediate with server-side attestation.
Laurens Dauchy · May 28, 2026
- iOS12 min
Provisioning Profile Expired: What to Do Next
iOS provisioning profile expired? Live App Store apps don't crash, but dev and enterprise builds stop launching. How to renew via Xcode, Fastlane, or EAS.
Laurens Dauchy · May 28, 2026
- Builders12 min
Expo EAS Build Stuck in Queue on Free Tier (How to Fix)
Why your Expo EAS build is stuck in queue on the free tier, how long the wait really is, whether paid tiers are instant, and how to build without waiting.
Laurens Dauchy · May 28, 2026
- AI-coded apps12 min
Missing Supabase RLS Policies in AI Apps (Lovable/Cursor)
Missing Supabase RLS in AI apps: what it means for your database, why AI code skips auth constraints, and how to write RLS policies quickly with auth.uid().
Laurens Dauchy · May 28, 2026
- Android11 min
El comando oficial "Android FLAG_SECURE": funciona en Android 15 y se puede hacer bypass?
FLAG_SECURE sigue funcionando en Android 15 y bloquea capturas y grabación. Pero es un control del cliente que se sortea con root, ADB o cámara externa.
Laurens Dauchy · May 27, 2026
- AI-coded apps12 min
Can People See My Supabase URL?
Can people see your Supabase URL? Yes, it is a public endpoint and safe with RLS. Whether the anon key is safe alongside it, and why CORS is not your access control.
Laurens Dauchy · May 27, 2026
- App Store12 min
Quel Est le Vrai Délai de Validation Apple TestFlight en 2026 ?
Le vrai délai de validation TestFlight : souvent moins de 24 h en externe, instantané en interne. Ce qui ralentit et quand contacter le support.
Laurens Dauchy · May 27, 2026
- App Store11 min
¿Qué Significa “Esperando Revisión” en Apple Testflight? (BETA App)
Qué significa 'Esperando revisión' en TestFlight, por qué la prueba externa requiere la Revisión de apps beta y la interna no, cuánto tarda y qué hacer.
Laurens Dauchy · May 27, 2026
- App Store11 min
EU External Link Entitlement (Apple Developer DMA Rules)
Apple EU external link entitlement under the DMA: the StoreKit External Purchase Link API, the Core Technology Fee and evolving terms, and how to adopt it.
Laurens Dauchy · May 27, 2026
- Android11 min
What to Do When Android App Bundles (AAB) Hit Play Console Size Limits
Google Play caps the AAB base module compressed download at 200 MB. Shrink the app with R8, or use Play Feature Delivery and Play Asset Delivery to exceed the limit.
Laurens Dauchy · May 27, 2026
- Google Play11 min
"In Corso di Revisione" Google Play: Perché Ci Vuole Così Tanto?
Cosa significa In corso di revisione su Google Play e perché ci vuole così tanto per un aggiornamento: quanto dura, cosa controllare e quando contattare Google.
Laurens Dauchy · May 26, 2026
- App Store11 min
Apple Developer Account Payment Pending (Taking Days)
Apple Developer account payment pending for days? Whether it is normal processing or a card verification issue, how long it takes, and when to escalate to support.
Laurens Dauchy · May 26, 2026
- Security12 min
Android Root Detection Bypass Using Frida (2026)
How to test Android root detection on your own app, what RootBeer checks, how Frida hooking bypasses it, and how to harden it for authorized security testing.
Laurens Dauchy · May 26, 2026
- AI-coded apps12 min
Supabase JWT Secret Leaked (Immediate Remediation Steps)
Your Supabase JWT secret leaked? It signs every token and both API keys, so rotate it now, invalidate all sessions, update keys, and migrate to signing keys.
Laurens Dauchy · May 26, 2026
- AI-coded apps12 min
How to Store API Keys Securely in React Native
You can't securely store a privileged API key in a shipped React Native app. Why dotenv won't hide it, what encrypted storage is really for, and the backend fix.
Laurens Dauchy · May 26, 2026
- App Store11 min
Fastlane: Could Not Start Delivery All Transports Failed
Fastlane's all transports failed error is a network issue: a firewall blocks the Aspera and Signiant ports. Force the DAV transport to upload over standard HTTPS.
Laurens Dauchy · May 25, 2026
- Google Play12 min
Google Play Account Terminated: High Risk Behavior (Appeals)
Google Play account terminated for high risk behavior? What it means, why it happens, why a new account won't work, and how to appeal it.
Laurens Dauchy · May 25, 2026
- Google Play12 min
App Stuck in Review on Google Play Console (Why It Takes 2 Weeks)
Why your app is stuck in review on Google Play Console, how long production review really takes, whether to unpublish or resubmit, and when to contact support.
Laurens Dauchy · May 25, 2026
- Android12 min
Android Keystore Password Lost? Recovery Steps
Lost your Android keystore password? Search gradle.properties, CI secrets, and your vault first. Brute force only helps weak passwords; else reset the upload key.
Laurens Dauchy · May 25, 2026
- Google Play12 min
App Bundle Signature Verification Failed (Google Play Fix)
App Bundle signature verification failed on Google Play: the upload key vs app signing key mismatch, verifying with apksigner, and when to reset the upload key.
Laurens Dauchy · May 25, 2026
- Google Play12 min
Google Play "We Couldn't Verify Your Identity" Fix
Google Play says it couldn't verify your identity? Usually it's document glare or a name mismatch with your payments profile. How to recapture and align both.
Laurens Dauchy · May 25, 2026
- App Store11 min
Apple TestFlight 2026: Interner vs. Externer Test Freigabezeiten
Wie lange interne und externe TestFlight-Tests bis zur Freigabe dauern, was normal ist, was die Prüfung verlangsamt und wann Sie den Support kontaktieren sollten.
Laurens Dauchy · May 24, 2026
- AI-coded apps12 min
Lovable vs Cursor: Which App Builder is More Secure?
Lovable vs Cursor security: neither is secure by default. Which exports cleaner code, their security defaults, each tool's main risk, and how to harden either.
Laurens Dauchy · May 24, 2026
- App Store12 min
Fastlane Upload IPA Error (Common Fixes)
Fastlane upload IPA errors and common fixes: App Store Connect API keys vs app-specific passwords, duplicate build numbers, invalid binaries, and app-not-found.
Laurens Dauchy · May 24, 2026
- Security8 min
Account enumeration in mobile app login flows
If your login or password-reset reveals whether an email has an account, attackers can list valid accounts to target. Here is how enumeration leaks and how to prevent it.
Laurens Dauchy · May 24, 2026
- AI-coded apps9 min
How do you hide API keys in a Lovable.dev app?
You can't hide a secret in front-end code, so the real answer is to move secret keys into Supabase Edge Functions and rely on RLS for the public anon key. Here is how to do it right.
Laurens Dauchy · May 24, 2026
- AI-coded apps9 min
How dangerous is a leaked JWT secret in a Lovable app?
A leaked Supabase JWT secret lets an attacker forge tokens for any user and bypass your access rules entirely. In Vite-based Lovable apps the VITE_ prefix is the trap. Here is how to stay safe.
Laurens Dauchy · May 24, 2026
- App Store8 min
Android 14 foreground service types: what to declare
On Android 14+, each foreground service needs a declared type, a matching permission, and a Play Console justification, or it throws at runtime or gets rejected. Here is how to comply.
Laurens Dauchy · May 24, 2026
- Security8 min
Android accessibility service abuse and security
Accessibility services can read the screen and act for the user, which malware abuses and Google Play scrutinizes. Here is how to handle both sides responsibly.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Android advertising ID and App Set ID privacy
The advertising ID is for ads and user-resettable; the App Set ID is for analytics and fraud. Use the right one, declare AD_ID, and respect resets. Here is how.
Laurens Dauchy · May 24, 2026
- Security7 min
Android allowBackup: is your app data backed up insecurely?
android:allowBackup decides whether your app's data can leave the device via backup. For sensitive data, that's a risk. Here is when to disable it and how.
Laurens Dauchy · May 24, 2026
- Security8 min
Android App Links verification with assetlinks.json
Verified App Links open directly in your app and can't be hijacked; unverified deep links and custom schemes can. Here is how Digital Asset Links verification works.
Laurens Dauchy · May 24, 2026
- Security8 min
Android Autofill Framework security
The Autofill Framework lets a password manager fill fields in your app. Here is how to mark fields so legitimate autofill works, exclude sensitive ones, and the duty if you build a service.
Laurens Dauchy · May 24, 2026
- Security8 min
Android BiometricPrompt: using biometrics securely
A BiometricPrompt success callback is a UI gate, not security; on a compromised device it's bypassable. Bind it to a Keystore key instead. Here is the secure pattern.
Laurens Dauchy · May 24, 2026
- Security8 min
Android broadcast receiver security explained
An exported receiver any app can trigger, and an implicit broadcast any app can read, are both risks. Keep broadcasts internal and protected. Here is how.
Laurens Dauchy · May 24, 2026
- Security8 min
Android cleartext traffic and network_security_config.xml
Android blocks plain HTTP by default since Android 9. Re-enabling cleartext exposes user data. Here is how the network security config works and how to keep it safe.
Laurens Dauchy · May 24, 2026
- Privacy7 min
Android clipboard privacy: what to know
Since Android 12 the system flags apps that read the clipboard, which often holds passwords or codes. Read it only on user action. Here is how to handle it respectfully.
Laurens Dauchy · May 24, 2026
- Security8 min
Android CompanionDeviceManager pairing security
CompanionDeviceManager pairs your app with a companion device the user picks, without broad location permission for scanning. But it doesn't secure the link. Here is how to use it well.
Laurens Dauchy · May 24, 2026
- Security8 min
Android content provider security explained
An exported content provider can hand your data to other apps, and concatenating caller input into its query opens SQL injection. Here is how to secure it.
Laurens Dauchy · May 24, 2026
- Security8 min
The Android Credential Manager API
Credential Manager unifies passkeys, passwords, and Sign in with Google into one Android sign-in flow, making phishing-resistant passkeys first-class. Here is how to use it.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Android custom keyboard and input method security
The keyboard is an app that sees what users type in your fields. Here is how to mark sensitive input so a third-party keyboard treats it carefully, and the duty if you build one.
Laurens Dauchy · May 24, 2026
- Security8 min
Android dynamic code loading (DexClassLoader) security
Loading a dex or library at runtime runs unreviewed code, and over an insecure channel it's a code-injection path. Google Play restricts it too. Here is how to handle it.
Laurens Dauchy · May 24, 2026
- Security8 min
Android emulator detection
Attackers use emulators to script and scale abuse, so apps try to detect them. But local checks are bypassable. Here is how detection works and why to prefer Play Integrity.
Laurens Dauchy · May 24, 2026
- Security8 min
Android Enterprise managed configurations and the work profile
Android Enterprise lets admins configure your app remotely and isolates work data in a work profile. Here is how to support managed configurations securely and respect the boundary.
Laurens Dauchy · May 24, 2026
- Security8 min
Android android:exported: the exported-component risk
android:exported decides whether other apps can reach your components. An internal one left exported is a real attack surface. Here is how to lock it down.
Laurens Dauchy · May 24, 2026
- Security8 min
Android FileProvider: sharing files securely
Sharing a raw file path exposes your storage and crashes on modern Android. FileProvider grants a temporary, scoped handle to one file instead. Here is how to use it.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Android Health Connect and sensitive health data security
Health Connect is Android's central store for deeply personal health data, with granular permissions and a strict policy. Here is how to request and handle it securely.
Laurens Dauchy · May 24, 2026
- Security8 min
Android implicit intents and interception
An implicit intent goes to whatever app matches, so a malicious app can register to receive yours and read sensitive data in it. Here is how to use intents safely.
Laurens Dauchy · May 24, 2026
- Security8 min
Android intent redirection and hijacking explained
Forwarding an untrusted Intent lets attackers reach your internal components; implicit Intents can be intercepted. Here is how to handle Intents safely.
Laurens Dauchy · May 24, 2026
- Security8 min
Android key attestation explained
Key attestation gives your server cryptographic proof that a Keystore key really lives in secure hardware, with a Google-rooted certificate chain. Here is how it works.
Laurens Dauchy · May 24, 2026
- Security8 min
Android Keystore: hardware-backed keys explained
The Android Keystore holds keys your app can't read or export, hardware-backed on most devices. It's where cryptographic keys belong. Here is how it works and how to use it.
Laurens Dauchy · May 24, 2026
- Security8 min
Android local socket (Unix domain socket) IPC security
Android local sockets default to the abstract namespace, which has no permissions, so any app that knows the name can connect. Here is the risk and how to secure local IPC.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Android MediaProjection and screen-capture risks
MediaProjection lets an app record the screen, including other apps, behind user consent. Android 14 tightened it. Here is how to capture safely and protect sensitive screens.
Laurens Dauchy · May 24, 2026
- Security8 min
Android minSdkVersion and security: the old-version cost
Supporting very old Android means running on unpatched versions without modern protections. minSdkVersion is a security decision, not just reach. Here is how to choose.
Laurens Dauchy · May 24, 2026
- Security8 min
Android native (NDK/JNI) code security explained
Native C/C++ via the NDK isn't a hiding place for secrets and reintroduces memory-safety bugs. Here is what to watch when shipping native code on Android.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Android notification listener service security
An app with notification access reads every notification on the device, including one-time codes. Here is what notification access exposes and how to handle posting and reading.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Android package visibility and QUERY_ALL_PACKAGES
Since Android 11, apps see a filtered app list by default; QUERY_ALL_PACKAGES is a sensitive permission Play restricts. Declare specific packages instead. Here is how.
Laurens Dauchy · May 24, 2026
- Security8 min
Android runtime permissions and least privilege
Request only the permissions your features use, in context, and handle denial. Over-requesting hurts trust and high-risk permissions need Play justification. Here is how.
Laurens Dauchy · May 24, 2026
- Security8 min
Android scoped storage and its security implications
Scoped storage limits apps to their own files, managed media, and user-picked files. All-files access is restricted by Play. Here is how it works and the trap to avoid.
Laurens Dauchy · May 24, 2026
- Security8 min
Using Android StrictMode to catch insecure behavior
StrictMode flags cleartext traffic, exposed file:// URIs, and more during development. Here is how to use it to catch security-relevant issues before they ship, and its limits.
Laurens Dauchy · May 24, 2026
- Security8 min
Android tapjacking and overlay attacks explained
Tapjacking draws an overlay over your app so the user taps a hidden control. The fix is to discard obscured touches on sensitive views. Here is how it works and how to defend.
Laurens Dauchy · May 24, 2026
- Security8 min
Android task hijacking and StrandHogg
A malicious app can use taskAffinity to show its screen in place of yours, phishing for credentials. That's StrandHogg. Here is how task hijacking works and how to defend.
Laurens Dauchy · May 24, 2026
- Security8 min
Android VpnService and VPN app risks
VpnService routes all device traffic through an app, which can log or modify it. A malicious VPN is a serious threat. Here is the risk and why TLS and pinning still matter.
Laurens Dauchy · May 24, 2026
- Security8 min
Android WebView addJavaScriptInterface: the bridge risk
addJavaScriptInterface lets web JavaScript call your native code. With untrusted content that's remote access to your app. Here is how to use a bridge safely.
Laurens Dauchy · May 24, 2026
- Security8 min
Android WebView file-access settings and the risk
Some WebView settings let a local page's JavaScript read other local files. Enabled with untrusted content, that's exfiltration. Here is how to keep them safe.
Laurens Dauchy · May 24, 2026
- Security8 min
Android WebView Safe Browsing
WebView checks navigations against Google's list of known malicious sites and warns before a phishing or malware page loads. It's on by default. Here is how to use it.
Laurens Dauchy · May 24, 2026
- Security8 min
APK signing schemes (v2, v3, v4) explained
Android APK signing evolved from legacy JAR signing to whole-APK (v2), key rotation (v3), and incremental installs (v4). Here is what each does and why it matters.
Laurens Dauchy · May 24, 2026
- App Store7 min
App Store age ratings: the 2025 update explained
Apple's 2025 overhaul added 13+, 16+, and 18+ bands and made a new questionnaire mandatory. The deadline has passed, so incomplete apps are blocked. Here is the detail.
Laurens Dauchy · May 24, 2026
- App Store7 min
App Store Connect 'Pending Agreement': how to fix it
Pending Agreement means your Paid Apps Agreement isn't active. The Account Holder signs it, then completes tax and banking forms. Here is the order to clear it.
Laurens Dauchy · May 24, 2026
- App Store7 min
Is the App Store Connect support URL mandatory?
Yes. The Support URL is required and must be a working page with a real way to contact you, not a placeholder or an FAQ alone. Here is what it needs.
Laurens Dauchy · May 24, 2026
- App Store7 min
App Store Connect: how do you fix 'The request timed out'?
A timeout usually means the upload or page stalled on the network or Apple's side, not a problem with your app. Retry with Transporter, check Apple's system status, and stabilize your connection.
Laurens Dauchy · May 24, 2026
- App Store6 min
What format does the App Store copyright field need?
The copyright field takes the year the rights were obtained plus the owner's name, like '2026 Acme Inc.', and no URL. Here is the format and common mistakes.
Laurens Dauchy · May 24, 2026
- App Store8 min
Can I edit app metadata while my app is in review?
Mostly no. Once you submit, screenshots, keywords, the description and the name are locked. Promotional text is the exception you can update anytime. Here is the full field-by-field map.
Laurens Dauchy · May 24, 2026
- Privacy8 min
App Store health and medical data rules (5.1.3)
Guideline 5.1.3 bars using health data for ads or data mining, sharing it without consent, or selling it. Health data is also regulated by law. Here is how to handle it. Not legal advice.
Laurens Dauchy · May 24, 2026
- App Store7 min
App Store 'In Review' taking too long in 2026?
In Review means a reviewer is actively evaluating your app, and most finish in 24 to 48 hours. Here is why it sometimes stretches and what to do about it.
Laurens Dauchy · May 24, 2026
- App Store8 min
App Store rejection 2.5.1: Software Requirements
Guideline 2.5.1 means public APIs only, used for their intended purpose. The rejection usually traces to a private API in a third-party SDK. Here is how to find it.
Laurens Dauchy · May 24, 2026
- App Store7 min
How do I fix Transporter 'Operation Failed'?
Operation Failed at upload is almost always a network, outdated-Transporter, or authentication issue, not your build. Here is how to get the upload through.
Laurens Dauchy · May 24, 2026
- App Store7 min
What are Apple's App Review team working hours?
App Review has no published office hours and runs through weekends and holidays. Apple says 90% of submissions are reviewed in under 24 hours. Here is what to actually expect.
Laurens Dauchy · May 24, 2026
- App Store7 min
Will 'Beta' in your app name get it rejected?
Yes. Beta, Demo, and Trial belong on TestFlight, not the App Store. Guideline 2.2 is the core rule; 2.3.10 about metadata is sometimes cited. Here is the fix.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Bolt.new: fixing 'Error initializing database' on iOS
It means the database client failed to connect. On iOS the usual causes are missing config, an ATS block, a localhost address, or an init race. Here is how to fix each.
Laurens Dauchy · May 24, 2026
- Security8 min
Bot detection and abuse prevention for mobile apps
Bots hit your API directly to create fake accounts, stuff credentials, and scrape. Client-side checks don't stop them. Here is how to prevent automated abuse with server-verified signals.
Laurens Dauchy · May 24, 2026
- Security8 min
Can App Store reviewers see my Supabase database?
No. Reviewers test your app like any client, so what they can see is whatever your anon key and Row Level Security expose. The real guard is RLS, not the key.
Laurens Dauchy · May 24, 2026
- App Store7 min
Can Apple reject my app for being too similar to another?
Yes. Duplicating apps hits Guideline 4.3 spam; imitating another developer's app hits 4.1 copycats. Competing is fine, near-cloning isn't. Here is the line.
Laurens Dauchy · May 24, 2026
- App Store7 min
Can I change my app's price while it's in review?
Yes. Pricing and availability are managed separately from App Review, so you can change or schedule a price change anytime, and it won't reset the review.
Laurens Dauchy · May 24, 2026
- App Store7 min
Can I change my marketing URL without resubmitting?
Generally no. The marketing URL is version metadata, edited when you submit a new version. Promotional text is the only field editable anytime. Here is the split.
Laurens Dauchy · May 24, 2026
- App Store7 min
Can I change my app's category while it's in review?
While a version is in review, metadata is locked. To change your category you remove the build from review, edit it, and resubmit, which restarts the queue. Here is the safe way to do it.
Laurens Dauchy · May 24, 2026
- App Store7 min
Can I change my bundle ID after the app is in review?
No. A bundle ID is fixed once the app record exists and a build is uploaded, so you cannot change it during review. Here is what to do instead and how to avoid the trap.
Laurens Dauchy · May 24, 2026
- App Store7 min
Can I delete a rejected build from App Store Connect?
Not permanently. You can't erase an uploaded build, but you can remove it from a version and let it expire. A rejected build is simply superseded by your next upload. Here is how it works.
Laurens Dauchy · May 24, 2026
- App Store7 min
Can I link to my Android app from my iOS app?
No. Guideline 2.3.10 restricts other-platform references, so a Google Play link in your iOS app or metadata is a rejection. Here is what's allowed instead.
Laurens Dauchy · May 24, 2026
- App Store8 min
Can I show different content to Apple reviewers?
No, serving reviewers a different app than users get is bait-and-switch and risks account termination. But you can help them access the real app. Here is the line.
Laurens Dauchy · May 24, 2026
- App Store7 min
Can I test in-app purchases without a sandbox user?
Yes. StoreKit testing in Xcode uses a local config file and TestFlight uses a real Apple ID, both with no sandbox account. Here is when to use each.
Laurens Dauchy · May 24, 2026
- App Store7 min
Can I use 'Beta' in my TestFlight app description?
Yes. TestFlight is the beta channel, so beta wording in the test information is fine. Just keep 'Beta' out of the app name, which feeds the public store. Here is the line.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Can Rork apps handle HIPAA compliance?
A Rork app can be part of a compliant system, but Rork doesn't make you HIPAA-compliant. Compliance is about the whole data flow, safeguards, and BAAs. Here is the detail.
Laurens Dauchy · May 24, 2026
- Security8 min
Can someone decompile my APK? What's recoverable
Yes. An APK decompiles to readable code, and strings and keys come out in the clear. Obfuscation only raises effort. Here is what's exposed and what to do.
Laurens Dauchy · May 24, 2026
- App Store7 min
Can two apps have the same name on the App Store?
No. The App Store listing name must be unique across the whole store, even between your own apps. Here is how naming works and how to handle a taken name.
Laurens Dauchy · May 24, 2026
- Security8 min
Certificate pinning in mobile apps: when it helps
Pinning makes your app trust only your server's key, blocking interception, but a bad cert rotation can brick the app. Here is when it's worth it and how to do it safely.
Laurens Dauchy · May 24, 2026
- Security8 min
Certificate Transparency for mobile apps
Certificate Transparency logs every issued TLS certificate publicly, so you can detect fraudulent ones for your domain. iOS requires it. Here is what it means for your app.
Laurens Dauchy · May 24, 2026
- Security8 min
Clearing sensitive data from memory in mobile apps
Secrets in memory can leak via dumps, crash logs, or runtime access on a compromised device. Minimize their lifetime and clear them after use. Here is how.
Laurens Dauchy · May 24, 2026
- Security8 min
Command injection in mobile apps
Building an OS command from untrusted input lets an attacker run their own commands. It hits Android exec calls and, more often, the backend. Here is how to prevent it.
Laurens Dauchy · May 24, 2026
- Privacy8 min
COPPA and children's privacy for mobile apps
Apps for or used by under-13s must get parental consent, minimize data, and avoid behavioral ads, plus meet store children's policies. A high-level overview. Not legal advice.
Laurens Dauchy · May 24, 2026
- Security8 min
CRLF and HTTP header injection in mobile backends
A line break smuggled into a header or log line lets an attacker inject headers, split responses, or forge logs. Here is how CRLF injection works and how to prevent it.
Laurens Dauchy · May 24, 2026
- Security8 min
CVEs and checking your mobile app's dependencies
A known flaw in a library you bundle is your app's flaw. Answering 'do we ship that?' needs a component inventory checked against CVE data. Here is how.
Laurens Dauchy · May 24, 2026
- Security8 min
Dependency confusion and typosquatting in mobile apps
A look-alike package name or a public package shadowing your private one can inject malicious code into your build. Here is how these supply-chain attacks work and how to defend.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Device fingerprinting and mobile privacy
Fingerprinting identifies a device by its traits, working around user controls, and Apple and Google restrict it. Here is what it is and how to stay on the right side.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Does AI-generated code have security vulnerabilities?
Yes, often. AI optimizes for code that works, not code that's secure, so it ships hardcoded secrets, weak crypto, and missing checks. Here is why and how to ship it safely.
Laurens Dauchy · May 24, 2026
- App Store8 min
Does Apple check the safety of AI-generated images?
Apple reviews your app's content safeguards, not every image. AI-generated images meet the same content rules, so you need moderation and an honest age rating.
Laurens Dauchy · May 24, 2026
- Security8 min
Does Apple check for eval() in your JavaScript code?
Apple doesn't grep your bundle for eval(). What Guideline 2.5.2 forbids is executing downloaded code that changes the app. eval() of remote content is the real risk. Here is the line.
Laurens Dauchy · May 24, 2026
- Security8 min
Does Apple check your app for hardcoded passwords?
Apple's review checks behavior and guidelines, not whether you left a password in the code. It rarely catches hardcoded credentials, but anyone with your build can. Here is the real risk.
Laurens Dauchy · May 24, 2026
- Security8 min
Does Apple review the source code of React Native apps?
Apple gets a compiled binary, not your repo. But your React Native JS ships inside that binary and is recoverable, so treat the bundle as visible. Here is the detail.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Does Bolt.new support Apple's required reason APIs?
Bolt generates code, but don't assume it produces a complete privacy manifest. Declaring required reason APIs is your job once you build for iOS. Here is how.
Laurens Dauchy · May 24, 2026
- Security8 min
Does Cursor AI include my local .env in the build?
Cursor doesn't bundle your .env, your build config does. The real risk: a client-referenced secret is inlined into the binary. Here is how to keep it out.
Laurens Dauchy · May 24, 2026
- Security8 min
Does Expo SecureStore encrypt data on Android?
Yes. On Android, SecureStore encrypts values with the Android Keystore, hardware-backed when available. Here is how it works and where its protection ends.
Laurens Dauchy · May 24, 2026
- Security8 min
Does jailbreak and root detection protect my app?
It's defense-in-depth, not a boundary. On a compromised device it can be patched out, so it deters tampering but can't replace server-side security. Here is how to use it.
Laurens Dauchy · May 24, 2026
- Security8 min
Is SharedPreferences secure? Encrypting Android prefs
SharedPreferences stores data in plain text, and EncryptedSharedPreferences is now deprecated. Keep secrets in the Keystore. Here is how to store sensitive data on Android.
Laurens Dauchy · May 24, 2026
- Security8 min
Excessive data exposure in mobile APIs
The app shows a clean screen, but the API response behind it leaks extra fields. The UI isn't the boundary, the response is. Here is how to return only what's needed.
Laurens Dauchy · May 24, 2026
- App Store7 min
Fake apps and brand impersonation in app stores
Someone can publish a fake app with your name and icon to trick your users. It harms your brand even if your app is fine. Here is how to detect, report, and fight it.
Laurens Dauchy · May 24, 2026
- Security8 min
Firebase Cloud Messaging (FCM) security explained
Don't put sensitive data in an FCM payload, it passes through Google's infrastructure, and keep your FCM server credentials off the app. Here is how to do push safely on Android.
Laurens Dauchy · May 24, 2026
- Security8 min
Firebase Remote Config security: what to know
Remote Config values are delivered to the client and aren't secret, and a client can be manipulated. So no secrets and no client-side enforcement. Here is how to use it safely.
Laurens Dauchy · May 24, 2026
- Security7 min
FLAG_SECURE: block screenshots of sensitive screens
Android's FLAG_SECURE blocks screenshots, recording, and app-switcher previews of a screen. iOS needs a different approach. Here is how to protect sensitive screens.
Laurens Dauchy · May 24, 2026
- Security8 min
Flutter app security considerations
A Flutter app is a normal APK or IPA subject to the same security model, and compiled Dart isn't opaque. Here is what to keep in mind to secure a Flutter app.
Laurens Dauchy · May 24, 2026
- Security8 min
Forcing app updates for security: closing a fixed vuln
A security fix only protects users who install it, and old versions linger. You need server-driven version gating to require critical updates. Here is how.
Laurens Dauchy · May 24, 2026
- Security8 min
Format string vulnerabilities in mobile apps
Logging a variable as the format string lets an attacker read memory or crash the app. The fix is one rule. Here is how format string bugs work and how to avoid them.
Laurens Dauchy · May 24, 2026
- Security8 min
Frida and dynamic instrumentation detection
Attackers use Frida to hook your running app, bypass checks, and read secrets from memory. Apps can detect it, but detection can be bypassed. Here is how to use it well.
Laurens Dauchy · May 24, 2026
- Privacy8 min
GDPR and CCPA basics for mobile apps
If your app has EU or California users, these privacy laws apply regardless of where you are. Here is a high-level overview of what they require. Not legal advice.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Google Play's account and data deletion requirement
If your app allows account creation, Google Play requires deletion both in-app and via a web link, and deleting the account must delete the data. Here is how to comply.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Google Play Data safety form: getting it accurate
The Data safety section is Android's privacy label, and you own its accuracy. SDKs are the usual blind spot. Here is what to declare and how to get it right.
Laurens Dauchy · May 24, 2026
- Security8 min
GraphQL API security for mobile apps
GraphQL's flexibility brings distinct risks: introspection, query-complexity DoS, per-field authorization, and batching abuse. Here is how to secure a GraphQL mobile API.
Laurens Dauchy · May 24, 2026
- Security8 min
gRPC security for mobile apps
gRPC needs TLS channel credentials, token-in-metadata auth, per-RPC authorization, and server reflection disabled in production. Here is how to secure a gRPC mobile API.
Laurens Dauchy · May 24, 2026
- App Store8 min
Guideline 2.5.4: background location without necessity
2.5.4 limits background modes to real purposes. Running background location with no feature behind it is a rejection. Here is when it's justified and how to fix it.
Laurens Dauchy · May 24, 2026
- App Store8 min
Guideline 3.2.2: unacceptable business models (free apps)
3.2.2 rejects apps built around watching ads, paying users to download apps, or promoting other apps. It's about the model, not free apps. Here is how to pass.
Laurens Dauchy · May 24, 2026
- App Store8 min
Guideline 4.3(a): is it a UI issue or a concept issue?
A 4.3(a) spam rejection can mean your UI looks templated or your concept is too common. Here is how to tell which, because the fix is different.
Laurens Dauchy · May 24, 2026
- App Store8 min
Guideline 4.7: HTML5 games and mini-apps explained
4.7 lets you host HTML5 mini apps and games, but only in WebKit/JavaScriptCore with no native API access, and you're responsible for all of it. Here are the rules.
Laurens Dauchy · May 24, 2026
- Security8 min
Hardcoded test and debug credentials in production apps
A test login or skip-auth flag left in a shipped app is a backdoor anyone can find by decompiling it. Here is what counts, why it's dangerous, and how to keep it out of release.
Laurens Dauchy · May 24, 2026
- App Store8 min
How long does the Apple Notary Service take?
Notarization is automated and usually finishes in minutes, not the day App Review takes. Here is the real timing, how to wait for it, and why some take longer.
Laurens Dauchy · May 24, 2026
- App Store7 min
How long does 'Ready for Distribution' status last?
It doesn't expire. Ready for Distribution is the stable status of an approved, live app and lasts until you ship a new version or change availability. Here is the detail.
Laurens Dauchy · May 24, 2026
- App Store8 min
How to bypass App Store review (and why it fails)
You can't bypass App Store review for public apps, and the techniques people try risk account termination. Here is why, and the legitimate faster paths.
Laurens Dauchy · May 24, 2026
- Security8 min
How to check if my app uses 'restricted' APIs
Restricted means either banned private APIs (a 2.5.1 rejection) or required reason APIs (declare them). Both often come from SDKs. Here is how to find each.
Laurens Dauchy · May 24, 2026
- App Store7 min
How do I contact the Apple App Review team?
There's no App Review phone number, but you can message reviewers in Resolution Center and request a call. Here are the channels and when to use each.
Laurens Dauchy · May 24, 2026
- App Store7 min
How do I delete old builds from TestFlight?
You can't delete TestFlight builds; App Store Connect has no delete button. You expire them instead, and they auto-expire after 90 days. Here is how it works.
Laurens Dauchy · May 24, 2026
- App Store7 min
How do you fix an App Store Connect operation error?
Operation errors like 1052 are generic upload failures, not app problems. Update Transporter, fix proxy settings, retry, and check Apple's status. Here is the systematic way to clear one.
Laurens Dauchy · May 24, 2026
- App Store7 min
How to fix Guideline 2.1: Information Needed (login)
A 2.1 'Information Needed' isn't a rejection, it means review needs a way in. Add a working demo account in App Review Information. Here is the fix.
Laurens Dauchy · May 24, 2026
- App Store8 min
How do you fix ITMS-90174: missing provisioning profile?
ITMS-90174 means your build shipped without a valid embedded.mobileprovision. Re-export with an App Store distribution profile and correct signing. Here is the full fix.
Laurens Dauchy · May 24, 2026
- Privacy8 min
How to use PrivacyInfo.xcprivacy in React Native
The privacy manifest declares your data collection, tracking, and required reason API use. Here is what it contains and how to add it in bare and managed Expo.
Laurens Dauchy · May 24, 2026
- Security8 min
IDOR / broken object level authorization in mobile APIs
If your API returns an object by ID without checking the user owns it, anyone can change the ID and read others' data. The app's UI won't save you. Here is the fix.
Laurens Dauchy · May 24, 2026
- App Store7 min
In Review vs Waiting for Review: what's the difference?
Waiting for Review means Apple has your submission but hasn't started; In Review means a reviewer is actively looking at it. Here is what each status means and what you can do in it.
Laurens Dauchy · May 24, 2026
- Security8 min
Insecure deserialization in mobile apps
Turning untrusted data into objects without validation can tamper with app state or run code. Untrusted data comes from the network, deep links, IPC, and files. Here is how to be safe.
Laurens Dauchy · May 24, 2026
- Security8 min
Insecure logging: sensitive data in your app's logs
A log line that prints a token or full API response can leak it, especially in a release build. Logs aren't private. Here is what leaks and how to log safely.
Laurens Dauchy · May 24, 2026
- Security8 min
Insufficient input/output validation in mobile apps (M4)
OWASP M4: trusting external data causes injection, crashes, and worse. Validate input against expectations and encode output. Here is where it shows up and how to fix it.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS App Attest and DeviceCheck explained
App Attest lets your server verify a request came from your genuine app on a real device, using the Secure Enclave. It's the iOS counterpart to Play Integrity. Here is how to use it.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS App Clips security
An App Clip is a small, on-demand slice of your app with constrained capabilities, but it's still a real app handling data and untrusted invocations. Here is how to build one securely.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS app extensions security: what to know
Share sheets, widgets, keyboards, and notification extensions share data via App Groups and carry their own risks, like keyboard full access. Here is how to keep them secure.
Laurens Dauchy · May 24, 2026
- Security7 min
iOS App Groups and shared container security
App Groups share a container among your app and its extensions, and shared UserDefaults isn't encrypted. Here is how to share data without over-exposing it.
Laurens Dauchy · May 24, 2026
- Privacy8 min
iOS App Privacy Report: what it reveals about your app
The App Privacy Report shows users how often your app used sensitive permissions and every domain it and its SDKs contacted. Here is what it reveals and what it means for you.
Laurens Dauchy · May 24, 2026
- Security8 min
The iOS app switcher snapshot data leak
iOS screenshots your app's screen when it backgrounds, for the app switcher, and saves it. Sensitive data on screen gets captured. Here is how to prevent the leak.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS App Transport Security (ATS) and its exceptions
ATS makes secure connections the iOS default and blocks plaintext HTTP. The risk is a blanket exception that disables it app-wide. Here is how to configure ATS right.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS background task security with BGTaskScheduler
Background work runs without the user watching, but it's still your app handling data. Here is how to keep full security in background tasks, including the locked-device data-protection nuance.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS custom URL scheme hijacking: the deep-link risk
iOS doesn't make custom URL schemes unique, so another app can register yours and intercept links. Don't pass secrets over them. Use Universal Links. Here is how.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS Data Protection: file encryption classes explained
iOS encrypts files at rest, but the protection class decides when they can be decrypted, and the default isn't strongest. Here is how to protect sensitive files.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS Face ID and Touch ID: using biometrics securely
A biometric success boolean is a UI gate, not security; on a compromised device it's bypassable. Bind biometrics to the Keychain instead. Here is the secure pattern.
Laurens Dauchy · May 24, 2026
- Privacy8 min
iOS Handoff and NSUserActivity data leaks
An NSUserActivity eligible for Handoff is sent to the user's other devices, payload and all. Put sensitive data in it and it travels. Here is how to use Handoff safely.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS Keychain access groups: sharing secrets securely
Keychain access groups let your own apps share secrets, but every app in the group can read them. Here is how access groups work and how to scope sharing safely.
Laurens Dauchy · May 24, 2026
- Security7 min
iOS Keychain iCloud sync: synchronizable vs device-only
Keychain items can sync across a user's devices via iCloud Keychain, or stay device-only. The choice matters for sensitive secrets. Here is how to decide per item.
Laurens Dauchy · May 24, 2026
- Security7 min
iOS Keychain vs UserDefaults: where to store tokens
UserDefaults stores values in plain text, so a token there is exposed. The Keychain is encrypted, access-controlled storage for secrets. Here is the rule.
Laurens Dauchy · May 24, 2026
- Privacy8 min
iOS limited photo library access
iOS lets users pick photos without granting any library access, and share only a selection. Requesting full access when you need a couple of photos is over-permissioning. Here is how to take less.
Laurens Dauchy · May 24, 2026
- Privacy8 min
iOS Live Activities and ActivityKit privacy
A Live Activity shows content on the lock screen, visible without authentication to anyone near the device. Here is how to use ActivityKit without leaking sensitive data.
Laurens Dauchy · May 24, 2026
- Privacy7 min
iOS local network privacy permission explained
Since iOS 14, reaching devices on the user's local network needs permission and a purpose string. An unexpected prompt often means an SDK is scanning. Here is how to handle it.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS Managed App Configuration (MDM) explained
Managed App Configuration lets an MDM configure your enterprise app centrally, server URLs, SSO, feature flags. It's for settings, not secrets. Here is how to use it.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS Network Extension and VPN entitlement security
Network Extension lets an iOS app build a VPN, filter, or DNS proxy that handles device traffic, behind a gated entitlement. Here is the responsibility and why TLS and pinning still matter.
Laurens Dauchy · May 24, 2026
- Security8 min
NSURLCache: when sensitive responses get cached on disk
iOS can quietly cache API responses to disk in plaintext, so a response full of personal data becomes data at rest. Here is how to keep sensitive responses out of the cache.
Laurens Dauchy · May 24, 2026
- Security8 min
Why NSUserDefaults is not secure storage
UserDefaults is backed by an unencrypted plist, so tokens or personal data stored there sit in plaintext and land in backups. Here is where sensitive data belongs instead.
Laurens Dauchy · May 24, 2026
- Security7 min
iOS entitlements: request only what your app needs
Entitlements grant capabilities like App Groups, Keychain sharing, and push. Declaring ones you don't use adds risk and review scrutiny. Here is how to keep them minimal.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS Password AutoFill and associated domains
Password AutoFill offers saved credentials bound to a domain you own, so they fill in your genuine app, not a look-alike, and it enables passkeys. Here is how to set it up.
Laurens Dauchy · May 24, 2026
- Privacy7 min
iOS pasteboard and clipboard privacy: what to know
Reading the iOS clipboard can capture data the user copied elsewhere, and iOS shows a banner when you do. Here is how to use the pasteboard respectfully.
Laurens Dauchy · May 24, 2026
- Privacy8 min
iOS privacy manifest tracking domains explained
The privacy manifest lists tracking domains, and iOS blocks them without ATT consent. The domains come from your SDKs. Here is how to declare them correctly.
Laurens Dauchy · May 24, 2026
- Privacy8 min
iOS privacy nutrition label vs privacy manifest
The privacy label is the user-facing App Store disclosure; the privacy manifest is a machine-readable in-bundle file. They're different, and both must agree. Here is the distinction.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS push notification security: tokens and payloads
Don't put sensitive data in a push payload, it passes through APNs and shows on the lock screen, and keep APNs credentials off the app. Here is how to do push safely.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS screen-capture and screenshot detection
iOS can't block screenshots like Android's FLAG_SECURE, but it lets you detect recording and screenshots. Here is how to obscure sensitive content during capture and react to screenshots.
Laurens Dauchy · May 24, 2026
- Security8 min
The iOS Secure Enclave explained
The Secure Enclave is isolated Apple hardware that holds keys so they never leave it, backing Face ID, encryption, and the Keychain. Here is what it does and how to use it.
Laurens Dauchy · May 24, 2026
- Security8 min
SFSafariViewController vs WKWebView for external content
WKWebView is app-controlled; SFSafariViewController is isolated. For external sites and sign-in, the isolated view protects credentials. Here is how to choose.
Laurens Dauchy · May 24, 2026
- Privacy8 min
The iOS Spotlight indexing data leak
Indexing your app's content for Spotlight makes it searchable, and stored on disk, for anyone with the device. Index the wrong thing and sensitive data leaks. Here is how to index safely.
Laurens Dauchy · May 24, 2026
- Security8 min
iOS Universal Links security
Custom URL schemes can be hijacked by any app; Universal Links are bound to a domain you own. But the link is still untrusted input. Here is how to use them securely.
Laurens Dauchy · May 24, 2026
- Security8 min
WKWebView security configuration on iOS
WKWebView is the modern iOS web view, but a native message handler or file-access setting plus untrusted content is risky. Here is how to keep its safe defaults.
Laurens Dauchy · May 24, 2026
- Security7 min
Is android:debuggable a security risk in release builds?
Yes. A debuggable release lets anyone attach a debugger to inspect and tamper with your app. Usually a hardcoded manifest value causes it. Here is how to be sure it's off.
Laurens Dauchy · May 24, 2026
- App Store8 min
Is it legal to have hidden features in iOS apps?
Under the App Store rules, no. Guideline 2.3.1 bans hidden, dormant, or undocumented features, and it risks removal and account termination. Here is the line.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Is my Rork app ready for the App Store?
Running in the preview isn't ready. A Rork app needs real functionality, no exposed keys, privacy pieces, and honest metadata. Here is the readiness checklist.
Laurens Dauchy · May 24, 2026
- Security8 min
Is unsafe-inline safe to use in AI-built WebViews?
No. unsafe-inline disables the CSP defense against injected scripts, and AI builders ship it by default. In a WebView that is risky. Here is how to remove it.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Is it safe to use Windsurf AI for fintech apps?
Windsurf can build a fintech app fast, but its defaults aren't fintech-grade. Safety depends on hardening, a PCI-compliant processor, and compliance. Here is the detail.
Laurens Dauchy · May 24, 2026
- App Store8 min
ITMS-90809: 'Deprecated UIWebView' rejection fix
ITMS-90809 means your binary still references UIWebView, usually from an old SDK. Move to WKWebView, which is also more secure. Here is how to find and fix it.
Laurens Dauchy · May 24, 2026
- Security8 min
JWT alg:none and algorithm-confusion attacks
If your backend trusts the algorithm a JWT declares, an attacker can strip the signature or sign with your public key to forge tokens. Here is how to verify JWTs safely.
Laurens Dauchy · May 24, 2026
- Security8 min
JWT handling in mobile apps: doing it securely
A JWT payload is base64, not encrypted, and storing the token in plain storage leaks it. Here are the common JWT mistakes in mobile apps and how to avoid them.
Laurens Dauchy · May 24, 2026
- Security8 min
LDAP injection in mobile backends
If your backend builds an LDAP filter from a username or search term without escaping, an attacker can bypass login or read directory data. Here is how LDAP injection works and how to prevent it.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Lovable.dev 'Invalid Binary' after Xcode upload: the fix
Invalid Binary is an automated processing rejection with a specific reason in an email. For a Lovable export it's usually icons, Info.plist, or signing. Here is the fix.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Lovable vs Replit Agent: which produces cleaner code?
Lovable's narrow stack yields more consistent code; Replit Agent's flexibility varies. But neither is reliably secure, and that matters more. Here is the honest take.
Laurens Dauchy · May 24, 2026
- Security8 min
Magic link authentication security
A magic link contains a token that is a temporary credential, delivered over email or SMS. Here is how to make magic-link sign-in secure: strong single-use tokens, verified server-side.
Laurens Dauchy · May 24, 2026
- Security8 min
Malicious QR codes in mobile apps
A QR code is data a user can't read by eye, so an attacker can encode a phishing link or payment request, even sticker it over a real code. Here is how to scan safely.
Laurens Dauchy · May 24, 2026
- Security8 min
Mass assignment in mobile app APIs explained
If your API binds a request body straight to a data model, a client can set fields like role or verified that it never should. Here is how mass assignment works and how to prevent it.
Laurens Dauchy · May 24, 2026
- Security8 min
MFA and two-factor authentication in mobile apps
MFA means a stolen password isn't enough, but factors aren't equal: authenticator apps and passkeys beat SMS, and the server must verify. Here is how to add it well.
Laurens Dauchy · May 24, 2026
- Security8 min
Man-in-the-middle attacks on mobile apps explained
A MITM attacker sits between your app and server, reading or changing traffic. It works on cleartext or weak cert validation. Here is how it happens and how to defend.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Mobile analytics and privacy: collecting responsibly
An analytics SDK quietly sends usage and device data to a third party, often more than you need. Here is the privacy concern and how to do analytics without overreaching.
Laurens Dauchy · May 24, 2026
- Security8 min
Mobile app incident response: when your app is breached
When an incident hits, contain it, assess scope, fix it, force the update, and notify. On mobile you can't recall old versions, so it leans server-side. Here is the plan.
Laurens Dauchy · May 24, 2026
- Security8 min
Mobile app penetration testing: what it covers
A pen test is a human attacking your app: runtime, network, auth, and business logic. A scan is the fast, broad first pass. Here is how they differ and when to use each.
Laurens Dauchy · May 24, 2026
- Security8 min
Mobile app threat modeling: a practical introduction
Threat modeling is three questions asked early: what to protect, what could go wrong, what to do. For mobile, assume the client is untrusted. Here is how to start.
Laurens Dauchy · May 24, 2026
- Security8 min
Mobile DevSecOps: shifting security left
Security at the end is costly and easy to skip. Shifting left moves it into design, code review, and your build pipeline. Here is how to do it for a mobile app.
Laurens Dauchy · May 24, 2026
- Security8 min
Mobile session management: timeout, expiry, revocation
A session that never ends is one a stolen token keeps alive. Good session management means short tokens, timeouts, and server-side revocation. Here is how to do it.
Laurens Dauchy · May 24, 2026
- Security8 min
Mobile supply chain security: third-party SDK risks
Most of your app's code comes from SDKs you didn't write but ship and answer for. They can leak data, carry flaws, or trigger rejection. Here is how to manage the risk.
Laurens Dauchy · May 24, 2026
- Security8 min
Mutual TLS (mTLS) for mobile apps explained
mTLS lets your server verify the client, so only certified clients connect. But a static client cert in the app is extractable. Here is how to use mTLS on mobile.
Laurens Dauchy · May 24, 2026
- Security8 min
NFC security for mobile apps
NFC feels secure because of proximity, but a tag is untrusted input, its ID is cloneable, and relay attacks defeat short range. Here is how to use NFC securely.
Laurens Dauchy · May 24, 2026
- Security8 min
NoSQL injection in mobile backends
NoSQL injection lets an attacker send a query operator where a value is expected, bypassing login or exposing data. Here is how it works and how to prevent it.
Laurens Dauchy · May 24, 2026
- Security8 min
OAuth 2.0 with PKCE for mobile apps
Native apps can't keep a client secret, so use the Authorization Code flow with PKCE in the system browser, not the implicit flow or an embedded web view. Here is why and how.
Laurens Dauchy · May 24, 2026
- Security8 min
Offline data security in mobile apps
Cached data sits on the device, lands in backups, and outlives its need. And offline, the app can't check the server. Here is how to handle offline data securely.
Laurens Dauchy · May 24, 2026
- Security8 min
Open redirect in mobile apps
An unvalidated redirect URL lets an attacker bounce users from your trusted link to a phishing site, or steal an OAuth token. Here is how open redirects work and how to close them.
Laurens Dauchy · May 24, 2026
- Security8 min
OWASP Mobile M10: Insufficient Cryptography
M10 is the risk that your app encrypts but the cryptography still fails, through weak algorithms, bad key management, or home-grown schemes. Here is how to address it.
Laurens Dauchy · May 24, 2026
- Security8 min
OWASP Mobile M5: Insecure Communication
M5 in the OWASP Mobile Top 10 covers how your app protects data in transit. Here is what insecure communication means and how to address it with TLS done right.
Laurens Dauchy · May 24, 2026
- Privacy8 min
OWASP Mobile M6: Inadequate Privacy Controls
M6 in the OWASP Mobile Top 10 is about how your app handles personal information across its lifecycle. Here is what inadequate privacy controls means and how to address it.
Laurens Dauchy · May 24, 2026
- Security8 min
OWASP Mobile M7: Insufficient Binary Protections
M7 covers reverse-engineering and tampering of your app's binary. Obfuscation and anti-tampering help, but they slow attackers, not stop them. Here is how to address it.
Laurens Dauchy · May 24, 2026
- Security8 min
OWASP Mobile M8: Security Misconfiguration
M8 covers insecure settings, not bugs: debuggable builds, exported components, allowed backups, cleartext. The app works fine, so you have to check. Here is how.
Laurens Dauchy · May 24, 2026
- Security8 min
Passkeys and WebAuthn in mobile apps explained
Passkeys replace passwords with a public-key credential whose private key never leaves the device, so there's nothing to phish. Here is how they work and how to add them.
Laurens Dauchy · May 24, 2026
- Security8 min
Password hashing for mobile app backends
If your app has password accounts, the backend must hash them with a slow, salted function like Argon2id, not a fast hash. Here is how to store passwords so a breach isn't a catastrophe.
Laurens Dauchy · May 24, 2026
- Security8 min
Play App Signing: upload key vs app signing key
You sign uploads with an upload key; Google signs the delivered app with the app signing key. One is recoverable, one establishes identity. Here is the difference.
Laurens Dauchy · May 24, 2026
- Security8 min
Play Integrity API vs SafetyNet, explained
SafetyNet Attestation is deprecated; the Play Integrity API replaces it. It signals whether a request is from a genuine app and device. Here is how to use it well.
Laurens Dauchy · May 24, 2026
- Security8 min
Pre-launch mobile app security audit checklist
Security issues are cheap to fix before launch and expensive after. Here is a checklist covering secrets, storage, network, auth, platform, and code, before you ship.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Can I use ChatGPT to write my app's privacy policy?
You can draft it with ChatGPT, but a generic AI policy must still match what your app actually collects, or it fails review. Here is how to do it safely.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Private DNS and DNS-over-HTTPS on mobile
Encrypted DNS hides which domains your app resolves from the network, but it protects the lookup, not your connection. Here is what DNS encryption does on mobile and what to rely on TLS for.
Laurens Dauchy · May 24, 2026
- Security8 min
Prototype pollution in JavaScript mobile apps
A single unsafe merge of untrusted JSON can let an attacker pollute JavaScript's object prototype, affecting every object. Here is how prototype pollution works and how to prevent it.
Laurens Dauchy · May 24, 2026
- Security8 min
Rate limiting and abuse protection for mobile APIs
Your API is callable directly, so without rate limiting an attacker can brute-force logins, spam codes, and scrape data. It must be server-side. Here is how to apply it.
Laurens Dauchy · May 24, 2026
- Security9 min
Why does App Store review reject React Native apps for insecure APIs?
React Native apps get bounced when they talk to a backend over plain HTTP, disable App Transport Security, or ship secrets in the JS bundle. Here is what triggers it and how to fix it.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Guideline 5.1.2(i): the App Store AI data-sharing rule
Guideline 5.1.2(i) now requires disclosing and getting explicit permission before sending personal data to a third-party AI. Here is what it means and how to comply.
Laurens Dauchy · May 24, 2026
- Security8 min
Replay attacks and nonces in mobile APIs
TLS stops eavesdropping, not resending. A captured request replayed can charge a payment twice or reuse a code. Here is how nonces and idempotency keys stop replay.
Laurens Dauchy · May 24, 2026
- App Store8 min
How do I add AdMob to a Replit app without rejection?
AdMob triggers iOS privacy requirements an AI agent usually skips: a Privacy Manifest, ATT, App Privacy disclosure, and SKAdNetwork IDs. Here is the checklist.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Replit Agent: Error 401 Unauthorized on backend API
A 401 means auth failed, usually a secret set in dev but not the deployment, a bad header, or an expired token. Here is how to fix it without hardcoding a key.
Laurens Dauchy · May 24, 2026
- AI-coded apps7 min
Is connecting a custom domain to Replit secure?
Replit auto-provisions HTTPS for a custom domain, so the security work is keeping DNS correct and remembering the domain is just the address. Here is the checklist.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Why does my Replit Agent app get a 403 calling an external API?
A 403 from a third-party API usually means a missing or wrong key, a bad auth header, or an IP or origin restriction, not a network failure. Here is how to debug it in a Replit-built app.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Why does my Replit app return 502 after submission?
A 502 means your Replit backend crashed, slept, or could not be reached, not that your iOS app failed. Here is why it happens at review or launch, and the fix.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Why can't my Replit Agent app reach Supabase in production?
It works in the workspace but fails when deployed because production secrets aren't set, or the connection uses the wrong pooler. Here is how to fix a Replit app that loses Supabase live.
Laurens Dauchy · May 24, 2026
- Security8 min
Reverse tabnabbing in mobile WebViews
A link opened without noopener lets the opened page redirect your page to a phishing site. Browser defaults help, but WebViews may not. Here is how to prevent reverse tabnabbing.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Rork vs Expo: which is safer for production?
Rork builds Expo apps, so it's not really a framework contest. Expo is the safe foundation; safety comes down to whether the code is hardened. Here is the verdict.
Laurens Dauchy · May 24, 2026
- AI-coded apps9 min
Rork vs Lovable: which one gets you through App Store review?
Rork builds native React Native apps aimed straight at the App Store; Lovable builds web apps that need wrapping to submit. That difference decides how hard approval is.
Laurens Dauchy · May 24, 2026
- Security8 min
Rotating exposed secrets in mobile apps: what to do
A key shipped in your app is already compromised and can't be recalled. Removing it later doesn't help. Here is how to rotate an exposed secret and not repeat the mistake.
Laurens Dauchy · May 24, 2026
- Security8 min
SAST vs DAST for mobile app security, explained
SAST reads your build to find secrets and config issues; DAST runs the app to find runtime behavior. They catch different things. Here is how they fit together.
Laurens Dauchy · May 24, 2026
- Security8 min
SBOM for mobile apps: the software bill of materials
An SBOM is a versioned inventory of every component in your app, so you can answer 'do we use that vulnerable library?' in minutes. Here is why mobile apps need one.
Laurens Dauchy · May 24, 2026
- Security8 min
Secure token storage and refresh in mobile apps
Access and refresh tokens are the keys to a session, so store them in the Keychain or Keystore and rotate refresh tokens to catch theft. Here is how to handle the token lifecycle.
Laurens Dauchy · May 24, 2026
- Security8 min
Is it safe to give an AI agent my App Store Connect key?
Only with a least-privilege key, never your admin access. Use a dedicated key scoped to the minimum role and app, stored as a secret. Here is how.
Laurens Dauchy · May 24, 2026
- Security8 min
Does Apple check your backend security during app review?
No. App Review tests the app on a device, not your server. It will use features that hit your API but never audits the backend itself, so insecure endpoints sail through. Here is what that means.
Laurens Dauchy · May 24, 2026
- Security8 min
Sensitive data in app cache and temp files
A cached API response or temp file can leak personal data even when your secrets are in the Keychain. Caches are storage. Here is how to cache without leaking.
Laurens Dauchy · May 24, 2026
- Security8 min
Server-side template injection in mobile backends
If your backend builds templates from user input, an attacker can inject template syntax the engine runs, often reaching code execution. Here is how SSTI works and how to prevent it.
Laurens Dauchy · May 24, 2026
- Security8 min
Sideloading and alternative app marketplaces security
Android has always allowed sideloading, and iOS now permits alternative marketplaces in the EU. Apps can bypass store review. Here is what that changes and how to protect your app.
Laurens Dauchy · May 24, 2026
- Security8 min
Siri Shortcuts and App Intents data exposure
App Intents expose your actions and content to Siri, Shortcuts, and the lock screen, and let actions run outside your UI. Here is how to avoid leaking data or sensitive actions.
Laurens Dauchy · May 24, 2026
- Security8 min
SMS OTP security and the SIM-swap risk
SMS one-time codes are the weakest factor: they can be intercepted, phished, or stolen via SIM swap. Prefer authenticator apps or passkeys. Here is how to use SMS more safely.
Laurens Dauchy · May 24, 2026
- Security8 min
SSRF: server-side request forgery from a mobile backend
Import-from-URL, link previews, and webhooks make your server fetch client-supplied URLs, which an attacker can point at internal services. Here is how to prevent SSRF.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Can I submit a vibe-coded app to the Epic Games Store?
Yes. Epic doesn't reject apps for being AI-built; you need an account, the fee, and to pass its guidelines. But vibe-coded apps ship insecure defaults to fix first.
Laurens Dauchy · May 24, 2026
- App Store7 min
TestFlight 'Build Missing Export Compliance': the fix
Missing Compliance is an unanswered encryption question, not a rejection. Answer it per build, or set ITSAppUsesNonExemptEncryption in Info.plist to skip it for good.
Laurens Dauchy · May 24, 2026
- App Store8 min
Internal vs external TestFlight testing: what's the difference?
Internal TestFlight testers skip review and install once a build processes; external testers wait on Beta App Review of the first build. Here is how each works.
Laurens Dauchy · May 24, 2026
- App Store8 min
TestFlight public link vs email invite: which should you use?
A public link lets anyone join your beta up to 10,000 testers with no email needed; email invites target named people. Both need Beta App Review first. Here is how to choose.
Laurens Dauchy · May 24, 2026
- App Store7 min
Why is my TestFlight build stuck on Processing for weeks?
Processing takes minutes, not weeks, so a stuck build has usually failed silently or is waiting on you. Here is how to unstick it and when to escalate.
Laurens Dauchy · May 24, 2026
- App Store7 min
TestFlight: 'Waiting for Review' vs 'Ready to Test'?
'Ready to Test' means a build is installable now; 'Waiting for Review' means an external build is queued for Beta App Review. Here is the difference.
Laurens Dauchy · May 24, 2026
- Security8 min
TOCTOU and race conditions in mobile apps
A TOCTOU bug exploits the gap between checking a condition and acting on it, like double-submitted payments. The fix is atomic, server-side enforcement. Here is how.
Laurens Dauchy · May 24, 2026
- iOS7 min
Version vs build number on iOS: what's the difference?
Version (CFBundleShortVersionString) is the public release users see; build (CFBundleVersion) is the counter that must climb with every upload. Here is how they work.
Laurens Dauchy · May 24, 2026
- Security8 min
Vulnerability disclosure: handling a reported flaw
When a researcher reports a flaw in your app, a clear channel and a prompt, professional response turn it into a quiet fix. Here is how to set up and run disclosure.
Laurens Dauchy · May 24, 2026
- Security8 min
Weak cryptography and hardcoded keys in mobile apps
A hardcoded key ships in the binary and voids your encryption; weak algorithms break quietly. Here is what counts as weak crypto and how to do it right.
Laurens Dauchy · May 24, 2026
- Security8 min
Weak randomness and SecureRandom in mobile apps
A token generated with an ordinary random function can be predictable, and predictable means guessable. Use the platform's secure random for security values. Here is how.
Laurens Dauchy · May 24, 2026
- Security8 min
WebSocket security for mobile apps
WebSockets are persistent, two-way connections, so they need wss encryption, handshake authentication, per-action authorization, and message validation. Here is how to secure one.
Laurens Dauchy · May 24, 2026
- Privacy8 min
What happens if you lie on App Store privacy labels?
An inaccurate App Privacy label violates Guideline 5.1.1 and risks rejection, removal, and legal liability. Apple checks it against your app's real behavior. Here is the detail.
Laurens Dauchy · May 24, 2026
- Privacy8 min
What is App Tracking Transparency (ATT)?
ATT requires permission before your iOS app tracks users across apps or uses the IDFA. A bundled SDK can trigger it. Here is when you need it and how to handle it.
Laurens Dauchy · May 24, 2026
- Security8 min
What is the OWASP MASTG?
The MASTG is OWASP's guide to how to test mobile app security, the companion to MASVS. Here is what it is and how it relates to MASVS and the Mobile Top 10.
Laurens Dauchy · May 24, 2026
- Security8 min
What is the OWASP Mobile Top 10?
The OWASP Mobile Top 10 is the ranked list of the most critical mobile app security risks. Here are the 2024 entries and how it relates to MASVS.
Laurens Dauchy · May 24, 2026
- App Store7 min
Why is my app status 'Metadata Rejected'?
Metadata Rejected means the problem is in your listing, not your binary. You fix the metadata and reply to App Review, usually without uploading a new build. Here is how to clear it.
Laurens Dauchy · May 24, 2026
- Privacy8 min
Widget data privacy in mobile apps
Widgets show app content on the home and lock screen, visible without opening the app or authenticating. Here is how to keep sensitive data out of widgets and protect shared data.
Laurens Dauchy · May 24, 2026
- Security8 min
Windsurf AI: keeping your AWS keys out of the bundle
A hardcoded AWS key in your app can expose your whole account. Windsurf may embed them. Use Cognito or a backend proxy instead. Here is the fix.
Laurens Dauchy · May 24, 2026
- Security8 min
Windsurf AI: a security audit of the generated .yml files
Generated CI/CD .yml files often hide hardcoded secrets, broad permissions, and unpinned actions. They control your build, so audit them. Here is the checklist.
Laurens Dauchy · May 24, 2026
- AI-coded apps8 min
Windsurf Cascade prompt injection: how do I contain the risk?
Cascade reads files and runs tools, so untrusted content can hijack it to exfiltrate your secrets. Here is how prompt injection works and how to contain it.
Laurens Dauchy · May 24, 2026
- Security8 min
XPath injection in mobile backends
If your backend queries XML with XPath built from user input, an attacker can inject XPath to bypass login or read data. Here is how XPath injection works and how to prevent it.
Laurens Dauchy · May 24, 2026
- Security8 min
XXE: XML external entity injection in mobile apps
If your app parses XML, a malicious document can make the parser read local files, make requests, or exhaust resources. Here is how XXE works and how to disable it.
Laurens Dauchy · May 24, 2026
- Security8 min
Zip Slip: insecure archive extraction in mobile apps
Extracting an archive whose entry names contain '..' can write files outside the target folder, overwriting app data or code. Here is how Zip Slip works and how to extract safely.
Laurens Dauchy · May 24, 2026
- App Store11 min
What Does 'Ready for Sale' Mean in App Store Connect?
Ready for Sale (now Ready for Distribution) means your app is approved and released, but reaching all storefronts and App Store search takes hours up to about a day.
Laurens Dauchy · May 23, 2026
- AI-coded apps11 min
Cursor Pro vs Claude Engineer for Mobile Dev
Cursor Pro is an AI editor you drive; Claude Code is a terminal agent that works autonomously. Neither replaces Xcode, and both generate code you must audit.
Laurens Dauchy · May 23, 2026
- App Store11 min
Does Apple Review Apps on Thanksgiving?
Does Apple review apps on Thanksgiving? Yes, no shutdown. Which holidays actually have shutdown dates, Black Friday timing, and when to request an expedite.
Laurens Dauchy · May 23, 2026
- Security8 min
Is it safe to use unsafe-inline in an AI app's WebView?
unsafe-inline defeats CSP's XSS protection, and in a WebView with a native bridge that turns a web bug into device access. Here is the risk and the fix.
Laurens Dauchy · May 23, 2026
- AI-coded apps8 min
Can a Rork AI-built app be hacked?
AI-built apps are not magically insecure, but Rork ships a real mobile binary where hardcoded keys and weak storage are extractable. Here is the real risk.
Laurens Dauchy · May 23, 2026
- App Store7 min
What screenshot sizes does the App Store require in 2026?
App Store screenshots come down to two required sizes: a 6.9-inch iPhone and a 13-inch iPad. Here are the exact pixel dimensions, formats, and rules for 2026.
Laurens Dauchy · May 23, 2026
- iOS7 min
How do I fix ITMS-90032 'The upload is invalid'?
ITMS-90032 means the upload is invalid because the app icon is missing or has transparency. Here is why a flat, opaque 1024 PNG icon fixes it.
Laurens Dauchy · May 23, 2026
- Privacy8 min
How do I fix a missing Camera or Photos Purpose String?
Error ITMS-90683 means a camera or photo library key is missing from Info.plist. Here is which key to add, why an SDK can trigger it, and how to fix it.
Laurens Dauchy · May 23, 2026
- iOS7 min
How long does the Apple Notary Service take?
Most notarizations finish in minutes, but a flagged or large submission can take longer. Here is the typical time and what stalls the notary service.
Laurens Dauchy · May 23, 2026
- App Store8 min
How do I fix an App Store Guideline 4.8 login rejection?
Guideline 4.8 requires an equivalent privacy-friendly login when you offer Google or Facebook sign-in. Here is what counts, who is exempt, and how to fix it.
Laurens Dauchy · May 23, 2026
- App Store8 min
Why was my AI-generated app icon rejected under 5.2?
Guideline 5.2 rejects assets that use third-party IP. An AI icon can reproduce a logo or character even with commercial rights. Here is the risk and the fix.
Laurens Dauchy · May 23, 2026
- App Store8 min
Why did my App Store review time reset?
Uploading a new build or rejecting your own submission sends App Review back to the start. Here is what resets the clock, and what leaves it running.
Laurens Dauchy · May 23, 2026
- App Store7 min
App Store 'Returned' vs 'Rejected': what's the difference?
'Returned' is not a rejection. It usually means an in-app purchase came back because no app binary was submitted with it. Here is the difference and the fix.
Laurens Dauchy · May 23, 2026
- AI-coded apps8 min
What does a Bolt.new security scan report show?
A Bolt.new security scan surfaces exposed keys, open Supabase tables, and missing auth in AI-generated code. Here is what it checks and how to act on it.
Laurens Dauchy · May 23, 2026
- App Store7 min
Can I appeal an App Store rejection a second time?
Yes. You can re-engage and escalate through the Resolution Center, a call, and the App Review Board. Here is the ladder and how to make a second appeal count.
Laurens Dauchy · May 23, 2026
- App Store7 min
Can a startup expedite its App Store review?
Anyone can request expedited review, but there is no startup fast lane. It is granted for a critical bug, a security issue, or a real event. Here is what qualifies.
Laurens Dauchy · May 23, 2026
- Security8 min
Does App Review check your Supabase or Firebase backend rules?
App Review requires your backend to be live, but it does not audit your Supabase RLS or Firebase rules. Here is the exact line it checks, and who owns the rest.
Laurens Dauchy · May 23, 2026
- App Store8 min
Does Apple test in-app purchases during review?
Yes. Reviewers attempt your purchase and restore in the sandbox, so the first IAP must ship with the version and your products must load. Here is what to check.
Laurens Dauchy · May 23, 2026
- AI-coded apps8 min
Does Bolt.new use secure session management?
Bolt.new relies on the auth provider, usually Supabase, whose sessions are secure by design. The risk is how the generated app stores tokens and enforces access.
Laurens Dauchy · May 23, 2026
- AI-coded apps8 min
Does Cursor save my hardcoded API keys to the cloud?
Cursor sends code to its servers for AI features, but Privacy Mode and plaintext discard limit what is stored. The real risk is the key shipping in your app.
Laurens Dauchy · May 23, 2026
- App Store8 min
Does TestFlight review take longer for the first build?
Yes. The first build of each version goes through Beta App Review, while later builds of the same version usually reach testers in minutes. Here is why.
Laurens Dauchy · May 23, 2026
- AI-coded apps8 min
Does Windsurf keep my code or prompt data?
Windsurf retains code by default on individual plans unless you turn on Zero Data Retention. Here is what is kept, what ZDR changes, and what telemetry does not.
Laurens Dauchy · May 23, 2026
- iOS8 min
How do I fix 'Invalid Code Signature' in Xcode 16?
Invalid Code Signature means your app's signing seal is broken, usually a modified bundle or an unsigned framework. Here is how to clean, re-sign, and fix it.
Laurens Dauchy · May 23, 2026
- App Store8 min
How do I fix a Guideline 1.1 rejection for an AI chat app?
Guideline 1.1 hits AI chat apps that can produce objectionable content with no guardrails. The fix is moderation plus report and block. Here is how to add it.
Laurens Dauchy · May 23, 2026
- App Store8 min
How do I fix a Guideline 3.1.1 in-app purchase rejection?
Guideline 3.1.1 requires Apple in-app purchase for digital goods consumed in your app. Here is the digital-versus-physical line, the US link change, and the fix.
Laurens Dauchy · May 23, 2026
- App Store8 min
How do I fix a Guideline 4.2 'minimum functionality' rejection?
Guideline 4.2 rejects AI apps that are thin wrappers around a chat API. The fix is native value the web and a generic bot do not offer. Here is how.
Laurens Dauchy · May 23, 2026
- App Store8 min
Why did Guideline 4.1 reject my app's name or icon?
Guideline 4.1 rejects copycats and apps using another brand, including Apple trademarks like iPhone, in the name or icon. Here is what fails and the fix.
Laurens Dauchy · May 23, 2026
- App Store8 min
Guideline 4.3(a) vs 4.3(b): why was my app flagged as a clone?
4.3(a) covers duplicate or look-alike apps, 4.3(b) covers saturated categories, and the commercial-clone rule is actually 4.2.6. Here is the difference and the fix.
Laurens Dauchy · May 23, 2026
- iOS8 min
How do I find the missing 'sealed resource' (ITMS-90035)?
ITMS-90035 means a sealed resource is missing or modified, but not always which one. codesign verify names the exact file. Here is how to find and fix it.
Laurens Dauchy · May 23, 2026
- App Store7 min
How do I fix App Store Connect error 701?
Error 701 means your build's bundle ID does not match an app record in App Store Connect, usually because the app was not created. Here is how to fix it.
Laurens Dauchy · May 23, 2026
- Privacy8 min
How do I fix ITMS-90683 missing Bluetooth Purpose String?
ITMS-90683 for Bluetooth means a CoreBluetooth reference has no usage string. Add NSBluetoothAlwaysUsageDescription. Here is the key, the SDK trap, and the fix.
Laurens Dauchy · May 23, 2026
- iOS7 min
How do I fix 'The app is not properly signed' in SideStore?
The SideStore 'not properly signed' error is a certificate or anisette failure, not a corrupt app. Here are the common causes and the fixes, in order.
Laurens Dauchy · May 23, 2026
- Security8 min
How do I hide API keys in an Expo managed app?
You cannot truly hide a runtime secret in an Expo app; EXPO_PUBLIC values ship in plaintext. Here is what is safe in the client and what belongs on a server.
Laurens Dauchy · May 23, 2026
- iOS8 min
How do I symbolicate crash logs from App Store Connect?
A crash log full of hex addresses needs symbolication: matching the dSYM to the build by UUID. Here is how to do it in Xcode and from the command line.
Laurens Dauchy · May 23, 2026
- AI-coded apps8 min
Is Bolt.new safe for handling healthcare data?
Bolt.new is a code generator, not a HIPAA solution. Compliance comes from your architecture and a signed BAA with every vendor that touches PHI. Here is the line.
Laurens Dauchy · May 23, 2026
- AI-coded apps8 min
Is Cursor AI code secure enough for production?
Cursor writes working code fast, but working is not secure. AI code carries flaws like hardcoded secrets and bad dependencies. Here is how to verify it.
Laurens Dauchy · May 23, 2026
- AI-coded apps8 min
Is it safe to import Lovable projects into Replit Agent?
Importing Lovable code into Replit Agent is safe as a step, but you inherit its hardcoded keys and RLS gaps. Here is how to migrate without carrying flaws.
Laurens Dauchy · May 23, 2026
- AI-coded apps8 min
Does Windsurf obfuscate my mobile app code by default?
No. Windsurf ships plain source, and obfuscation is a build step you add. More importantly, obfuscation does not secure a hardcoded key. Here is what does.
Laurens Dauchy · May 23, 2026
- iOS8 min
How do I fix ITMS-90338 non-public API usage?
ITMS-90338 means your binary references a private Apple symbol, usually from a legacy SDK like ReachabilitySwift. Here is how to find the culprit and fix it.
Laurens Dauchy · May 23, 2026
- AI-coded apps8 min
Is the Lovable preview URL secure?
A Lovable preview URL is public to anyone with the link and runs your real app, so it is only as secure as your auth, RLS, and keys. Here is what it exposes.
Laurens Dauchy · May 23, 2026
- AI-coded apps8 min
Lovable vs Windsurf: how do their security features compare?
Lovable and Windsurf secure different things: Lovable scans the app it builds, Windsurf protects your code's privacy. Both offer ZDR. Here is the comparison.
Laurens Dauchy · May 23, 2026
- App Store8 min
How do I fix an App Store Guideline 2.5.2 rejection?
Guideline 2.5.2 bans downloading or running code that changes your app's features. OTA JS updates are fine; a remote eval is not. Here is the line and the fix.
Laurens Dauchy · May 23, 2026
- AI-coded apps8 min
Replit Agent: is Supabase or Firebase easier to secure?
Both Supabase and Firebase are secure when configured, but they fail in different ways. Here is the security comparison for first-time builders using Replit Agent.
Laurens Dauchy · May 23, 2026
- AI-coded apps8 min
Replit Agent: Supabase or Replit DB, which is safer?
Replit DB is a simple server-side key-value store with no row-level security; Supabase adds per-user RLS. Here is which is easier to secure for your app.
Laurens Dauchy · May 23, 2026
- Security8 min
Does Apple check for hardcoded Firebase config?
No. The Firebase config is public by design, so Apple does not flag it. Your Security Rules and the service-account key are what actually matter. Here is the line.
Laurens Dauchy · May 23, 2026
- Security8 min
Why does Supabase RLS fail silently in mobile apps?
Supabase RLS denials return empty results, not errors, so a data leak or a lockout is silent. Here is why it matters in mobile apps and how to test it.
Laurens Dauchy · May 23, 2026
- App Store7 min
Why does my TestFlight build say 'Expired'?
TestFlight builds expire 90 days after upload, and testers lose access. It is not a bug. Here is why it happens and how to get your beta running again.
Laurens Dauchy · May 23, 2026
- App Store8 min
TestFlight vs Sandbox: how do I test in-app purchases?
Three ways to test IAP: a local StoreKit file, the Sandbox, and TestFlight. Here is which uses your real Apple ID, which you can reset, and when to use each.
Laurens Dauchy · May 23, 2026
- Security12 min
iOS Jailbreak Detection Bypass with Frida
Frida bypasses iOS jailbreak detection by hooking the check's return value. Why a single isJailbroken function fails, and how to harden and move trust server-side.
Laurens Dauchy · May 22, 2026
- Security12 min
5 Escáneres de Vulnerabilidades de Android vs Play Protect: Documentación OWASP Oficial
Los 5 escáneres de vulnerabilidades de Android frente a Play Protect: en qué se diferencian, cuáles usar y cómo se alinean con OWASP MASVS y MASTG.
Laurens Dauchy · May 22, 2026
- App Store11 min
Can I Transfer an App from Personal to Company Apple Account?
Yes, you can transfer an App Store app from a personal to a company account. The bundle ID stays the same, reviews and ratings carry over, and users keep updates.
Laurens Dauchy · May 22, 2026
- App Store11 min
Fixing the DUNS Number Delay for Apple Developer Enrollment
Fixing a DUNS number delay for Apple Developer enrollment: the D&B-to-Apple sync lag of up to two weeks, how to expedite D&B issuance, and matching your details.
Laurens Dauchy · May 22, 2026
- Google Play11 min
Google Play Data Safety Review Taking Too Long
A Google Play data safety review usually takes up to a week, or one to two weeks for expanded reviews. It holds the update, not your live app. Check status, do not resubmit.
Laurens Dauchy · May 21, 2026
- AI-coded apps12 min
Why "Vibe Coding" Apps Are Leaking Corporate Data
Why vibe coding apps leak corporate data: skipped backend auth, hardcoded tokens, and Supabase anonymous access without RLS, and what to do about it.
Laurens Dauchy · May 21, 2026
- Builders11 min
Supabase Maximum Number of Clients Reached Error
The Supabase max-clients error means you hit the connection pooler's limit. Use transaction mode (port 6543) for serverless, reuse one client, raise the pool size.
Laurens Dauchy · May 21, 2026
- AI-coded apps12 min
Lovable App Security Risks: What AI Builders Miss
The 3 security risks Lovable and AI builders miss: hardcoded API secrets, Supabase RLS left off, and published source maps. How to check and fix each.
Laurens Dauchy · May 21, 2026
- App Store12 min
App Store Veröffentlichen (2026): Echte Kosten & Freigabe-Dauer
Was kostet die Veröffentlichung im App Store und wie lange dauert die Freigabe 2026? 99 US-Dollar pro Jahr, meist unter 24 Stunden Prüfung, plus was sie verlangsamt.
Laurens Dauchy · May 21, 2026
- Security12 min
Bypass Root Detection Android (Frida Script 2026)
Why Android root detection is bypassable (Frida hooks, RootBeer, Magisk DenyList), how to test your own app responsibly, and how to harden it with Play Integrity.
Laurens Dauchy · May 21, 2026
- Google Play10 min
Google Playのアプリ審査が長い!保留される原因と遅い時の対処法
Google Playのアプリ審査が長い理由と、保留される主な原因、再アップロードの影響、管理公開の確認、そして遅いときの具体的な対処法とサポート連絡の手順をまとめます。
Laurens Dauchy · May 21, 2026
- Builders12 min
EAS Build iOS Missing Provisioning Profile Error
EAS Build iOS missing provisioning profile? Use the Expo credentials manager to set up or regenerate credentials, and match the bundle ID and distribution type.
Laurens Dauchy · May 20, 2026
- App Store12 min
How to Upload IPA File to App Store Connect Without Mac
You can't build an iOS IPA without a Mac, but cloud services like Expo EAS, Codemagic, and CI runners build and upload for you. Transporter alternatives explained.
Laurens Dauchy · May 20, 2026
- App Store12 min
Transfer Bugs: Bundle ID Already Used Error During iOS Dev Handover
Why the bundle identifier already in use error appears during an iOS app transfer, which certificates and profiles are involved, and the safe retry path.
Laurens Dauchy · May 20, 2026
- App Store12 min
App Store Rejection Guideline 2.1 Performance (Fix)
App Store Guideline 2.1 performance rejection: how to read and symbolicate crash logs, fix IPv6-only network bugs, add a demo account, and resubmit cleanly.
Laurens Dauchy · May 20, 2026
- Builders11 min
Expo EAS Build Free Limit Exceeded (Bypass & Alternatives)
Hit the Expo EAS Build free limit? Wait for the reset, upgrade, or build locally. Local builds run on your hardware and dont use your cloud quota; Turtle CLI is retired.
Laurens Dauchy · May 20, 2026
- App Store12 min
TestFlight: Could Not Install App (Couldn't Load)
TestFlight could not install app or couldn't load the app? Usually the tester's iOS is below the build's minimum, a network hiccup, an expired build, or low storage.
Laurens Dauchy · May 20, 2026
- App Store12 min
Error ITMS-90054: This Bundle is Invalid (Fixed)
ITMS-90054 means the bundle identifier cannot be changed from the previous version. Why it happens across Xcode, Fastlane, and Expo, and how to revert and fix it.
Laurens Dauchy · May 20, 2026
- App Store12 min
"En Cours d'Examen" : Que Faire Quand Apple Met Trop de Temps
Votre app est en cours d'examen depuis plusieurs jours ? Ce qui est normal, ce qui ralentit, si resoumettre remet le compteur à zéro et quand contacter Apple.
Laurens Dauchy · May 20, 2026
- App Store11 min
What Happens if I Ignore App Store Missing Compliance?
Ignoring the App Store Missing Compliance warning won't remove your live app, but it holds the new build until you answer the export compliance question.
Laurens Dauchy · May 20, 2026
- Security12 min
React Native Hermes Bytecode Decompiler Tools
React Native Hermes compiles JS to HBC bytecode, but it is not obfuscation. How hbctool and other decompilers recover it, and why to keep secrets off the client.
Laurens Dauchy · May 19, 2026
- App Store12 min
TestFlight Build Missing Beta Entitlement Error
The TestFlight missing beta entitlement error means your build wasn't signed for App Store distribution. Fix it in Xcode or Fastlane match, not by hand.
Laurens Dauchy · May 19, 2026
- Security12 min
Is Flutter Secure for Banking Apps? (2026 Audit)
Is Flutter secure for banking apps? Only if you build it right: Dart is reverse-engineerable, obfuscation is not a control, and real trust lives server-side.
Laurens Dauchy · May 19, 2026
- Android11 min
Documentación de Seguridad 2026: Los Permisos "Peligrosos" en Android
Qué son los permisos 'peligrosos' en Android, la lista por categoría, por qué importan para la seguridad y la revisión de la tienda, y cómo minimizarlos.
Laurens Dauchy · May 19, 2026
- OWASP MASVS11 min
OWASP MASVS vs. MASTG: Entenda as Diretrizes de Segurança Mobile
OWASP MASVS vs MASTG: o MASVS define os requisitos de segurança (o quê) e o MASTG descreve como testá-los (o como). Entenda a diferença e como usá-los.
Laurens Dauchy · May 19, 2026
- App Store12 min
TestFlight Beta App Review Rejected: Next Steps
A TestFlight beta rejection is Beta App Review declining your build, usually guideline 2.1 for a crash or incomplete app. How to get crash logs and resubmit.
Laurens Dauchy · May 19, 2026
- App Store10 min
Aplicativo da Apple travado na revisão de fim de semana
App parado na revisão da Apple no fim de semana quase sempre é fila normal. A App Review funciona todos os dias. Saiba quando esperar e quando escalar.
Laurens Dauchy · May 19, 2026
- Google Play12 min
How to Fix Google Play Policy Violation (Common Causes)
How to fix a Google Play policy violation: read the exact policy cited, then fix common causes like misleading metadata, broken links, and permission issues.
Laurens Dauchy · May 18, 2026
- App Store12 min
TestFlight Build Processing Taking Hours (Is it Stuck?)
TestFlight build processing for hours? Check Apple's System Status for an outage first, and if it's genuinely stuck with no outage, upload a new build number.
Laurens Dauchy · May 18, 2026
- AI-coded apps12 min
Supabase Service Role Key Exposed in JS Bundle
Supabase service_role key in your JS bundle? It's a full database compromise. Rotate it now, why webpack inlined it, how source maps expose it, and the real fix.
Laurens Dauchy · May 18, 2026
- Security9 min
Can Apple See My Firebase Database When I Submit My App?
Apple has no backdoor into your Firebase project, but anyone holding your bundle, including App Review, can probe whatever your Security Rules allow.
Laurens Dauchy · May 18, 2026
- Security9 min
Can Apple See My Hardcoded Secrets In Minified JS Bundles?
Minification renames variables, it does not hide your strings. Apple does not extract them, but anyone with your IPA can read them in under a minute.
Laurens Dauchy · May 18, 2026
- App Store9 min
Why did Apple reject my app for 2.5.2 over CodePush?
Apple App Review keeps citing Guideline 2.5.2 on builds that include CodePush. Here is what the rule covers and how the line moved after App Center retired.
Laurens Dauchy · May 18, 2026
- Privacy9 min
Why did Apple reject my app for 5.1.1 missing AdMob manifest?
Apple keeps citing Guideline 5.1.1 on iOS apps that ship the GoogleMobileAds SDK without a PrivacyInfo.xcprivacy file. Here is the fix line.
Laurens Dauchy · May 18, 2026
- Privacy9 min
Why did Apple reject my app for 5.1.1(v) social login?
Apple App Review keeps citing Guideline 5.1.1(v) on apps that use Google or Facebook sign-in but skip in-app account deletion. Here is the line.
Laurens Dauchy · May 18, 2026
- Privacy8 min
How do you add PrivacyInfo.xcprivacy to an Expo managed project?
For Expo SDK 50 and later, the privacy manifest lives in app.json under expo.ios.privacyManifests, and prebuild writes it during the build.
Laurens Dauchy · May 18, 2026
- App Store8 min
How do I request expedited App Review for a critical security bug?
Apple grants expedited App Review for genuinely critical bugs, and a security defect with a named exploit clears that bar when the request is specific and short.
Laurens Dauchy · May 18, 2026
- AI-coded apps9 min
Is Bolt.new production ready for security?
What Bolt.new's default auth, database, and key handling actually look like, and what you have to harden before sending real users to a Bolt build.
Laurens Dauchy · May 18, 2026
- Builders9 min
Is Bolt.new safe for medical app development?
Bolt.new ships working code fast, yet medical apps need a signed BAA, audited PHI controls, and source code patterns the AI does not produce by default.
Laurens Dauchy · May 18, 2026
- AI-coded apps8 min
Is Windsurf AI code obfuscated by default?
What Windsurf's Cascade actually outputs, why Hermes bytecode is not real obfuscation, and where in the build pipeline obfuscation actually belongs.
Laurens Dauchy · May 18, 2026
- Privacy8 min
How do I fix ITMS-91053 for the disk space API?
ITMS-91053 lands when your iOS binary calls a disk space API without naming a reason. Here is how to spot the call, write the manifest entry, and resubmit.
Laurens Dauchy · May 18, 2026
- AI-coded apps9 min
Why does my Lovable.dev app return 403 on Supabase storage upload?
A Lovable.dev file upload that fails with 403 Forbidden almost always points at a missing storage RLS policy, not a bug. Here is the fix.
Laurens Dauchy · May 18, 2026
- App Store8 min
Why did Apple reject my app for Guideline 2.3.1 hidden features?
Guideline 2.3.1 covers hidden, dormant, or undocumented features; here is what App Review actually looks for and how to clear the rejection.
Laurens Dauchy · May 18, 2026
- AI-coded apps9 min
Replit Agent: how do I secure the Postgres connection string?
Replit Agent stores DATABASE_URL in encrypted Secrets, but it can still leak the Postgres connection string into client bundles and config files.
Laurens Dauchy · May 18, 2026
- AI-coded apps8 min
How do I fix a Replit Agent publishing loop with shutdown?
When the Replit publishing pane hangs in the upload phase, the Manage deploy shutdown is the cleanest reset, but it has costs worth knowing.
Laurens Dauchy · May 18, 2026
- AI-coded apps8 min
Why did Shutdown fix my Replit Agent publishing loop?
Multiple Replit Discourse threads show the Manage panel Shutdown clearing a stuck deploy. The reset has real costs and limits worth knowing first.
Laurens Dauchy · May 18, 2026
- AI-coded apps8 min
Why is my Replit Expo deploy stuck on the View Log login page?
The eas-cli login URL printed in your Replit Shell often loops back to a sign in screen. The root cause is usually a missing EXPO_TOKEN secret.
Laurens Dauchy · May 18, 2026
- Security8 min
Does Apple Review Hardcoded API Keys?
Apple's App Review does not scan for hardcoded API keys. The static pass targets malware, not credentials. Here is what an attacker pulls from your IPA.
Laurens Dauchy · May 18, 2026
- Security9 min
Is my Neon database secure for a mobile app?
Neon ships secure infrastructure by default, but a mobile app that hits the connection string directly hands the keys to anyone who unzips the binary.
Laurens Dauchy · May 18, 2026
- Security8 min
Does Apple Check for Supabase Anon Key Abuse?
Apple does not test your Supabase RLS. The anon key is fine to ship; an open table is not. Here is what reviewers see, and what they miss.
Laurens Dauchy · May 18, 2026
- App Store9 min
When does TestFlight external testing get approved in 2026?
External TestFlight builds in 2026 are clearing Beta App Review in days, not hours, with AI features and new SDK strings pushing waits longer.
Laurens Dauchy · May 18, 2026
- App Store9 min
Why is my TestFlight external testing waiting for 1 week?
At the 1-week mark in 2026, external TestFlight builds often sit in Waiting for Beta Review because of an AI-workload queue, not the build itself.
Laurens Dauchy · May 18, 2026
- App Store8 min
Why is my TestFlight build stuck on Processing for 12 hours?
In 2026, a 12-hour TestFlight Processing wait usually points at a silent upload fault, and the Cancel and Increment pattern clears most stalls fast.
Laurens Dauchy · May 18, 2026
- App Store8 min
Why has my TestFlight build been Processing for 24 hours?
A TestFlight build stuck on Processing for 24 hours in 2026 has crossed Apple's documented line, and the right move runs reset and Feedback Assistant together.
Laurens Dauchy · May 18, 2026
- App Store8 min
TestFlight Processing stuck for 24 hours: what Reddit shows
What developer threads on Reddit and the Apple Developer Forums actually report about TestFlight builds frozen in Processing during the 2026 AI-app submission surge.
Laurens Dauchy · May 18, 2026
- App Store8 min
Why is my TestFlight public link 'Waiting for Review'?
When a TestFlight build sits in Waiting for Review, the public link goes dark. Here is what the state means and the levers that actually move it.
Laurens Dauchy · May 18, 2026
- App Store8 min
How long does TestFlight review take, internal vs external?
Internal TestFlight builds skip review entirely; external builds wait for Beta App Review, which usually clears in hours but can stretch into days.
Laurens Dauchy · May 18, 2026
- App Store8 min
What does 'Developer Response Required' mean in App Store Connect?
The phrase is not an official Apple status. It usually points to a Rejected app, an in-app purchase in Developer Action Needed, or an open Resolution Center thread.
Laurens Dauchy · May 18, 2026
- App Store8 min
Why is my build stuck on Processing for 48 hours?
App Store Connect Processing at 48 hours sits twice past Apple's documented 24-hour line; here is the escalation path and reset that actually work.
Laurens Dauchy · May 18, 2026
- App Store8 min
Why is my TestFlight build greyed out in App Store Connect?
A greyed out TestFlight build in App Store Connect almost always traces to Missing Compliance or a status that disqualifies it; here are the documented fixes.
Laurens Dauchy · May 18, 2026
- App Store8 min
Why is my TestFlight build taking 12+ hours to process?
A 12+ hour TestFlight Processing wait usually traces to a small set of preventable triggers, and a few documented upload choices skip the queue altogether.
Laurens Dauchy · May 18, 2026
- App Store8 min
Why is my TestFlight public link still 'In Review'?
TestFlight public links go dark while the build sits in Beta App Review; here is what In Review actually means and the levers that move it.
Laurens Dauchy · May 18, 2026
- AI-coded apps11 min
Can Cursor AI Read My Environment Variables? (.env Security)
Can Cursor AI read your .env? What it indexes, whether files are uploaded, what Privacy Mode does, and how to keep secrets out of the editor and your app.
Laurens Dauchy · May 17, 2026
- App Store11 min
Bundle ID Already Used Apple Developer (Fix)
Bundle ID already used on Apple Developer? Whether you can delete it, whether an app transfer can reclaim it, and when you must choose a new bundle ID.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Is the code Bolt.new generates safe to ship to production?
Bolt.new ships a working app in minutes, but the default output leaks API keys, skips Supabase Row Level Security, and pulls in an unaudited npm tree.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
How do I fix Invalid Binary on a Lovable.dev iOS upload?
App Store Connect flips a Lovable.dev iOS upload to Invalid Binary when Apple's ingestion audit rejects the archive, often a missing privacy manifest.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
What should I check in my Lovable app before App Store submission?
A pre-submission security pass for Lovable builds: Supabase RLS, exposed keys, Edge Functions, and the App Review and Play policies that catch them.
Laurens Dauchy · May 17, 2026
- AI-coded apps9 min
Is my Lovable.dev app exposing the Supabase service_role key?
A Lovable.dev project that uses the Supabase service_role key in the browser hands an attacker the entire database. The fix starts with rotation.
Laurens Dauchy · May 17, 2026
- iOS8 min
Why does AltStore say invalid code signature, and how do I fix it?
AltStore re-signs every IPA with a seven-day Apple ID certificate before install. Four signing failures account for the invalid code signature error.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did Apple reject my app for Guideline 5.1.2 data use?
Guideline 5.1.2 rejections cite data use and sharing: a build that tracks, transmits, or shares user data without proper consent, ATT, or disclosure.
Laurens Dauchy · May 17, 2026
- App Store8 min
How long does App Store review take for a bug fix?
Apple says 90% of submissions clear review in under 24 hours, but bug fix updates in 2026 commonly take 24 to 72 hours, sometimes longer.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why is my App Store Connect build stuck on Processing for 24h?
Processing is the quiet gap between upload and Ready to Submit, with no Apple target time. Here is what causes the 24-hour stall and what to do.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why is my app stuck on Waiting for Review on App Store Connect?
App Store Connect can sit on Waiting for Review for hours or weeks in 2026. Here is what the status actually means and how to read the queue.
Laurens Dauchy · May 17, 2026
- App Store9 min
iOS Notarization vs App Store Review: what's actually different?
A plain explanation of how Apple's Notarization for EU and Japan alternative marketplaces differs from the full App Store Review, and what to scan before either.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why is my app 'Pending Developer Release' for days?
The status means Apple approved your build but parked the release in your hands, because you picked Manual release at submission. Here is what to do.
Laurens Dauchy · May 17, 2026
- Privacy9 min
Which APIs are on Apple's privacy manifest required reason list?
The five required reason API categories Apple checks on App Store upload, the approved reason codes, and how to declare each one in PrivacyInfo.xcprivacy.
Laurens Dauchy · May 17, 2026
- App Store9 min
What happens if I lie on the App Store Privacy Nutrition Labels?
Apple compares your Privacy Nutrition Label answers in App Store Connect against your binary and your SDKs, and a mismatch can pull future updates or your app.
Laurens Dauchy · May 17, 2026
- App Store9 min
Why is my AI-built habit tracker rejected under 4.2?
App Store reviewers are rejecting AI-generated medication and habit trackers under Guideline 4.2. Here is what the wording actually means.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did Apple reject my AI-built app as 4.3(a) design spam?
Apple's 4.3(a) spam clause flags AI-coded apps when the metadata, screenshots, or concept sit too close to a saturated cluster. Here is what fixes it.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did Apple reject my app under 4.8 for Sign in with Apple?
Guideline 4.8 covers Login Services. If your app offers Google or Facebook login, Apple wants an equivalent privacy-respecting option.
Laurens Dauchy · May 17, 2026
- Privacy8 min
Why did App Store 5.1.1 flag my privacy policy as not linked?
App Store reviewers reject under 5.1.1 when the privacy policy URL is not clickable inside the app, even when the metadata field in App Store Connect is filled in.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did Apple reject my app under 5.2.2 for AI-generated icons?
Apple's 5.2.2 often hits AI-coded apps when generated icons borrow Disney, Nintendo, or sports league marks. The fix is rarely just a new icon prompt.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did App Store review times stretch on Reddit in March 2025?
Reddit threads in March 2025 logged App Review waits of 7 to 14 days, well past Apple's 24 hour norm. Here is what changed, and what to check now.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why is my app stuck on Waiting for Export Compliance?
App Store Connect shows this status when it detects encryption in your build. Here is what triggers it, how to clear it, and how to stop seeing it again.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why is my app stuck in Waiting for Review for 7+ days?
Seven days is the soft threshold where most experienced iOS developers stop waiting and start acting. Here is the playbook for day 7 and beyond.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why is my app stuck in Waiting for Review for 5 days?
Five days on Waiting for Review feels long, but in 2026 it sits inside normal variance. Here is how to read the queue before you remove and resubmit.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did Apple reject my app under 3.1.1 for an in-app purchase link?
Guideline 3.1.1 still blocks external purchase links outside the US. After May 2025, US apps can include buttons, but the IAP rule itself stands.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did Apple reject my app under Guideline 3.2.2(ii)?
Your free utility asks for an email on first launch and the rejection cites a guideline that reads 'intentionally omitted'. Here is what Apple actually means.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why is my Apple App Review taking longer than usual in 2025?
App Review queues stretched in 2025 as submissions climbed roughly 24 percent. Most apps still clear within 48 hours, with edge cases longer.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Bolt.new: Is the database connection secure on mobile?
Bolt.new ships Expo for mobile with Supabase as the default database. The connection is safe only when three checks pass on key, RLS, and storage.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Bolt.new vs Lovable: which is safer to ship to production?
A side by side look at how Bolt.new and Lovable handle secrets, Supabase RLS, and server side logic, and what each builder gets wrong by default.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Can AI agents leak my .env to other developers?
Yes, when an AI coding agent quotes the value into a tracked file, a shared transcript, or an MCP config, the secret crosses developer boundaries fast.
Laurens Dauchy · May 17, 2026
- App Store8 min
Can AI-generated icons cause Guideline 5.2.2 rejections?
Image models pull silhouettes from the most-trained brands, so an unmodified AI icon often carries trademark exposure App Review flags first.
Laurens Dauchy · May 17, 2026
- App Store8 min
Can AI icons cause Guideline 5.2.2 IP rejections?
AI image tools quietly bake third-party brand fragments into icons. Here is when App Review reaches for 5.2.2, when it reaches for 5.2.1, and how to clear it.
Laurens Dauchy · May 17, 2026
- App Store8 min
Can AI icons cause Guideline 5.2.2 rejections?
Unmodified AI icons inherit brand fragments from training data, and that is exactly what App Review and trademark holders look for first.
Laurens Dauchy · May 17, 2026
- AI-coded apps9 min
Can Apple ban my developer account for AI spam?
Solo developers using Claude Code, Cursor, or FlutterFlow worry the next build will end an account. Here is the line between rejection and termination.
Laurens Dauchy · May 17, 2026
- AI-coded apps9 min
Why does Cursor AI hardcode API keys in my React Native app?
Cursor often writes the OpenAI, Supabase, or Stripe key straight into a React Native screen file, and Metro ships the value inside the JS bundle.
Laurens Dauchy · May 17, 2026
- App Store8 min
What is the difference between App Store and AltStore review?
AltStore PAL apps still pass through Apple, but the bar is lower than App Store review. Here is what changes for EU and Japan submissions.
Laurens Dauchy · May 17, 2026
- Security8 min
Does Apple check for hardcoded AWS S3 credentials?
No. Apple's review does not actively scan iOS binaries for AWS access keys, and live S3 credentials regularly ship through to the App Store.
Laurens Dauchy · May 17, 2026
- Security8 min
Does Apple check for hardcoded Firebase keys in 2026?
Apple's automated review does not scan IPAs for Firebase API keys in 2026. Here is what the App Store check covers, and what protects your project.
Laurens Dauchy · May 17, 2026
- Security8 min
Does Apple reject apps for using hardcoded Firebase keys?
Apple has no documented rejection rule for hardcoded Firebase keys in 2026. Here is what App Review actually flags, and what the project still needs.
Laurens Dauchy · May 17, 2026
- Security8 min
Does Apple App Review check for env variables in your build?
Apple does not grep your binary for env variables, but what you stash in them still ships inside the IPA. Here is what really survives the build process.
Laurens Dauchy · May 17, 2026
- Security8 min
Does Apple review check for hardcoded Firebase keys?
Apple's App Review process does not run a scanner against your Firebase API key. The line that matters is config keys versus real secrets in the IPA.
Laurens Dauchy · May 17, 2026
- Security8 min
Does Apple App Review actually check your server-side code?
Apple reviewers cannot read your server source, but they test your app against your live backend. Here is what they see and where the gap rejects builds.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Does Cursor AI save my .env variables in prompt history?
Privacy Mode in Cursor turns on Zero Data Retention with model providers, but your .env still gets read into prompts. Here is what stays and what leaks.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Do Lovable.dev apps pass App Store review?
Lovable.dev only ships web apps. Passing App Store review depends on the Capacitor wrapper, the native features around it, and Apple's Guideline 4.2.
Laurens Dauchy · May 17, 2026
- AI-coded apps9 min
Does Lovable.dev support Stripe integration safely?
Lovable can wire Stripe into your app in minutes, but the safe path depends on where the sk_live key actually lives. Here is what changes.
Laurens Dauchy · May 17, 2026
- App Store9 min
Does iOS Notarization check for hardcoded secrets?
A plain answer on whether Apple's Notarization for EU and Japan marketplaces scans your binary for API keys, plus what to scan before submission.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Does Replit Agent use secure cookies by default?
Replit Deployments serve HTTPS, but Replit Agent rarely sets HttpOnly, Secure, and SameSite on session cookies. Here is what to audit before launch.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Does Windsurf Cascade leak API keys in the prompt history?
Windsurf stores conversations locally and sends code telemetry by default, and disclosed prompt injection attacks can exfiltrate .env values out of your project.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Does Windsurf Cascade leak .env variables to the client?
Cascade does not automatically ship .env values to the browser. The real risks sit in two other places, both worth understanding before your next commit.
Laurens Dauchy · May 17, 2026
- Security8 min
Does the Expo extra field in app.json leak secrets in production?
The extra field in app.json is bundled into the public Expo config that ships inside every build, so any value there reads out on device.
Laurens Dauchy · May 17, 2026
- Security8 min
Does Expo SecureStore actually encrypt your data on Android?
Expo SecureStore wraps Android Keystore around SharedPreferences. Here is what that buys you, where AsyncStorage fails, and what a scanner will flag.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why is my AI chat app rejected under Guideline 1.2 UGC?
Apple expects AI chat apps to ship the same UGC safeguards as social apps: report buttons on every reply, blocking, filtering, and contact info.
Laurens Dauchy · May 17, 2026
- App Store8 min
Where do Report and Block buttons go in an AI chat app?
Guideline 1.2 expects per-message reports, per-counterparty blocks, and a real support address; reviewers test placement, not policy.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why does Apple reject 'app crashed on iPad running iPadOS 18.2'?
A Guideline 2.1 rejection that names iPadOS 18.2 means the reviewer caught a crash on a specific iPad. Here is how to read the log and ship a fix.
Laurens Dauchy · May 17, 2026
- App Store8 min
Guideline 2.1: my app requires login for gated features. What now?
A Guideline 2.1 rejection for login-gated features almost always means the reviewer could not test core functionality. The fix is demo access, not removing login.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did Apple reject my app for Guideline 2.1 crash on launch?
A reviewer says your build crashed before the home screen appeared. Here is what that rejection actually means and the fastest fix path.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did Apple reject my app for Guideline 2.5.2?
Guideline 2.5.2 blocks apps that download or execute code at runtime. Here is what actually triggers a 2.5.2 rejection and how to respond.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why is my AI chatbot app being rejected for Guideline 3.1.1?
App Review is flagging the Upgrade button that opens your Stripe checkout. Here is what counts as Digital Goods and how to actually comply in 2026.
Laurens Dauchy · May 17, 2026
- App Store9 min
What do I remove from my AI app after a 3.1.1 rejection?
App Review flagged your AI app under Guideline 3.1.1. Here is the audit list of every external purchase link that has to come out before you resubmit.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did Apple reject my AI wrapper under Guideline 4.2?
Apple flags AI wrappers under Guideline 4.2 when the binary adds no native value over a browser tab; native iOS features and a clear app-only purpose pass review.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did Apple reject my AI habit tracker under Guideline 4.2?
Apple's 4.2 Minimum Functionality clause is what flags most AI-coded habit trackers, meditation timers, and horoscope apps. Here is what triggers it.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why does Apple flag AI habit trackers under 4.3(a) design spam?
Habit trackers built with AI cluster on App Store Connect each week, and Apple's 4.3(a) spam clause picks them up. Here is what shifts the verdict.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why does Apple keep rejecting my AI app under Guideline 4.3(a)?
App Review fires Guideline 4.3(a) when your build reads as part of a clone pattern. The Notes for Review field is the lever that breaks that read.
Laurens Dauchy · May 17, 2026
- App Store8 min
Can rewriting Notes for Reviewer clear a Guideline 4.3(a) flag?
Solo iOS developers report that a precise rewrite of the App Store description and the Notes for Reviewer field sometimes clears a 4.3(a) spam rejection.
Laurens Dauchy · May 17, 2026
- App Store8 min
Guideline 4.3(a) or 4.3(b): which one rejected my AI wrapper?
Apple cites 4.3(a) and 4.3(b) almost interchangeably on AI wrapper rejections, yet the underlying signals are different. Here is what each one means in practice.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do you fix Guideline 5.1.1 account deletion for social logins?
Guideline 5.1.1(v) flags apps that skip in-app deletion. Social logins add a token revocation step. Here is what a passing flow looks like.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do I fix a Guideline 5.1.1 BuddyBoss registration rejection?
Apple cites 5.1.1 when a BuddyBoss app registration form requires fields like birthdate, city, or state that the core community feature does not need.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do I fix a Guideline 5.1.1 data collection and storage rejection?
A practical walkthrough of the six subletters of Apple's Guideline 5.1.1, with the exact fixes reviewers accept on resubmit in 2026.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do I fix a Guideline 5.1.1(i) Data Collection rejection?
Apple cites Guideline 5.1.1(i) when the privacy policy is vague or when the signup form asks for personal data the core feature does not actually need.
Laurens Dauchy · May 17, 2026
- Privacy8 min
Why did Apple reject my AdMob app for a missing privacy manifest?
Apple sends ITMS-91061 under Guideline 5.1.1 when the Google Mobile Ads SDK is below 11.2.0 or its privacy manifest is not embedded in your iOS build.
Laurens Dauchy · May 17, 2026
- Privacy8 min
Why did Apple flag my Firebase build under Guideline 5.1.1?
Apple's Privacy Manifest rules and Guideline 5.1.1 collide when an older Firebase build lands in App Store Connect. Here is what to update first.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did Apple reject my BuddyBoss app under Guideline 5.1.1?
A BuddyBoss app rejection under Guideline 5.1.1 almost always points at non-essential registration fields like City, State, or Birthdate.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix a 5.1.1 rejection for required registration fields?
Apple rejects under Guideline 5.1.1 when a registration form blocks users with fields that are not directly relevant to the app's core functionality.
Laurens Dauchy · May 17, 2026
- App Store9 min
How do I rework app login to pass Guideline 5.1.1?
Apple flagged your app under Guideline 5.1.1 because the sign-in wall blocks features that are not account-based. Here is how to fix it.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I match OpenAI data sharing with App Privacy labels?
Guideline 5.1.2(i) requires disclosing third-party AI data sharing. Here is how to align your App Privacy nutrition label, in-app consent, and the binary.
Laurens Dauchy · May 17, 2026
- Privacy8 min
Why did Apple reject my app under Guideline 5.1.2?
Guideline 5.1.2 covers personal data sharing, third-party AI disclosure, and ATT compliance. Here is what App Review checks and how to fix it.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do you add PrivacyInfo.xcprivacy to an Expo project?
Apple's privacy manifest rule landed in May 2024. Here is how Expo SDK 50 and later generates PrivacyInfo.xcprivacy from a block in app.json.
Laurens Dauchy · May 17, 2026
- Security9 min
How do I add security headers to a Lovable app?
A Lovable app is a static Vite build. The clean way to set CSP, X-Frame-Options, and HSTS is at the host layer, not from the Lovable prompt itself.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do you bypass Export Compliance in App Store Connect?
The ITSAppUsesNonExemptEncryption key in Info.plist tells App Store Connect upfront so the Missing Compliance warning never blocks your TestFlight build.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do I fix the 'Missing Purpose String' rejection in 2026?
App Store Connect blocks builds that call location APIs without a usage description in Info.plist. Here is what to add and which SDK to check.
Laurens Dauchy · May 17, 2026
- Security8 min
How do I check Supabase RLS policies from the terminal?
psql plus pg_policies and pg_class.relrowsecurity give a one-minute audit of every Row Level Security policy on a Supabase project from the terminal.
Laurens Dauchy · May 17, 2026
- Security8 min
How do you find hardcoded secrets in a React Native app?
The JavaScript bundle ships inside the APK or IPA as a near-plaintext file. Here is how to find hardcoded API keys before App Review does.
Laurens Dauchy · May 17, 2026
- Security8 min
How do I find hidden permissions in AI-generated code?
The sensors and APIs your AI agent silently wrote into Info.plist or AndroidManifest, the easy ones to miss, and how to audit a compiled build.
Laurens Dauchy · May 17, 2026
- Security8 min
How do I find hidden permissions in my Windsurf iOS build?
The keys Cascade silently adds to Info.plist when it agrees to wire up a feature, how to spot the orphans in a compiled IPA, and how to stop the drift.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix Apple's Guideline 5.1.1 for registration fields?
Apple rejects apps that demand city, state, or birthdate at registration when those fields are not tied to a real feature. Here is what to trim and how to reply.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do I fix Guideline 5.2.2 for an AI-generated logo?
App Review can cite 5.2.2 when an AI logo carries a third-party service mark. Here is what triggers it and the clean way to clear the rejection.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do you fix ITMS-90683 Missing NSPhotoLibraryUsageDescription?
App Store Connect rejects builds that reference Photo Library APIs without a purpose string. Here is how to fix ITMS-90683 in one resubmission.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix ITMS-90683 for missing Bluetooth purpose string?
ITMS-90683 means your IPA links Core Bluetooth without NSBluetoothAlwaysUsageDescription in Info.plist. Here is the fix when an AI agent wrote the code.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix ITMS-90683 Missing Purpose String in Info.plist?
ITMS-90683 means your iOS binary calls a privacy-guarded API without an Info.plist purpose string. Here is the fix for AI-coded and no-code builds.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix ITMS-91056 for Reachability.framework/PrivacyInfo?
App Store Connect returns ITMS-91056 when the PrivacyInfo.xcprivacy file shipped inside Reachability.framework carries a key or value its schema audit refuses.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix 'Missing API declaration' for disk_space in 2025?
Apple's privacy manifest rule for disk_space APIs still rejects iOS builds in 2025, and a February 2025 SDK change made the failure mode harder to debug.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix 'Missing API declaration' for disk_space?
The ITMS-91053 warning on NSPrivacyAccessedAPICategoryDiskSpace, the four approved reason codes Apple accepts, and how to find the SDK that triggered it.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix the 'Missing API declaration' for disk_space?
App Store Connect rejects builds that call disk-space APIs without an approved reason in PrivacyInfo.xcprivacy. The fix takes five minutes.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix the ITMS-91053 missing file_timestamp declaration?
App Store Connect rejected your upload because the binary calls a file_timestamp API and PrivacyInfo.xcprivacy is missing an approved reason.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix 'Missing Purpose String for Bluetooth' in Info.plist?
ITMS-90683 means your binary calls Core Bluetooth without NSBluetoothAlwaysUsageDescription in Info.plist. Here is what to add and which SDK to check.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do I fix ITMS-90338 non-public API usage in React Native?
Apple flagged your iOS build because a selector inside node_modules collides with a private framework method; the fix lives in native code, not your JS bundle.
Laurens Dauchy · May 17, 2026
- Security8 min
How do I fix 'Non-public API usage' in React Native?
Apple's ITMS-90338 emails name selectors like isPassthrough or viewManager in React Native builds. The fix usually lives in your Pods, not your code.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
How do I fix the Rork 'API key not found' error?
Five settled causes for the Rork API key not found error, from a missing EXPO_PUBLIC prefix to stale edge function secrets, with verification steps.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do I fix 'the app you are attempting to allow does not exist'?
The error fires when Xcode or App Store Connect cannot match your bundle ID to an app record in the active team. Here is how to align them.
Laurens Dauchy · May 17, 2026
- Security9 min
How do you obfuscate React Native code in 2025?
Hermes bytecode is not obfuscation. A real defense layers JS-level obfuscation, native shrinking, and runtime checks before submission.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do I request an expedited review for a security patch?
Apple grants expedited App Review for critical security fixes through the Contact Us form, but the request must be specific, narrow, and provable to a reviewer.
Laurens Dauchy · May 17, 2026
- iOS8 min
How do I symbolicate TestFlight crash logs in Xcode 16?
Apple ships TestFlight crash reports as raw hex addresses until the matching dSYM lines them up, and the trick is making Xcode find the right file.
Laurens Dauchy · May 17, 2026
- iOS8 min
How do I symbolicate TestFlight crash logs reliably in 2026?
TestFlight crash reports arrive as raw memory offsets, and reliable symbolication in 2026 hinges on every dSYM your CI ever produced being on disk.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I update my privacy manifest for AdMob?
Apple flagged your AdMob build for a missing PrivacyInfo.xcprivacy. Here is what the SDK ships, what your app target adds, and how to verify the IPA.
Laurens Dauchy · May 17, 2026
- Privacy9 min
How do I use the Required Reason API for UserDefaults in Expo?
Apple flags NSUserDefaults under the Required Reason API. In Expo, the fix is one block in app.json with the right code: CA92.1, 1C8F.1, or C56D.1.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Is my Supabase anon key safe in a public Replit repo?
The anon key is designed to be public, but the safety only holds when Row Level Security is enabled on every table in your schema.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Is Replit Agent safe for sensitive apps?
The agent is safe for many side projects, but sensitive data, regulated apps, and production traffic still need a separate review path before launch.
Laurens Dauchy · May 17, 2026
- Security8 min
Is supabase.auth.uid() safe for RLS checks in mobile apps?
auth.uid() is safe for RLS in mobile apps when JWTs are asymmetric-signed, RLS is on, and policies use app_metadata, not user_metadata.
Laurens Dauchy · May 17, 2026
- Security9 min
Is supabase.auth.uid() safe for RLS checks?
auth.uid() is safe for RLS when PostgREST verifies the JWT, every reachable table has RLS enabled, and policies read app_metadata, not user_metadata.
Laurens Dauchy · May 17, 2026
- Security8 min
Is the Supabase service role key public?
The Supabase service_role key is a secret backend credential that bypasses Row Level Security, not a public one. The anon key is the public one.
Laurens Dauchy · May 17, 2026
- Security8 min
How do I fix ITMS-90338 non-public API usage in an iOS build?
App Store Connect rejects iOS uploads that link selectors matching private Apple APIs. The fix starts in npm dependencies, not your own code.
Laurens Dauchy · May 17, 2026
- Privacy8 min
What does ITMS-90683 Missing NSPhotoLibraryUsageDescription mean?
Apple rejects iOS builds that reference Photo Library APIs without a purpose string. Here is what the validator checks and how to clear the rejection.
Laurens Dauchy · May 17, 2026
- Privacy8 min
What does ITMS-91053 'Missing API declaration FileTimestamp' mean?
App Store Connect flags FileTimestamp on ITMS-91053 when the binary reads file attributes without a matching reason code in PrivacyInfo.xcprivacy.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix ITMS-91053 NSPrivacyAccessedAPICategoryUserDefaults?
App Store Connect rejects iOS uploads that touch UserDefaults without a matching PrivacyInfo.xcprivacy entry. The fix is one short plist block.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix ITMS-91053 SystemBootTime in PrivacyInfo.xcprivacy?
App Store Connect flags SystemBootTime on ITMS-91053 when the binary calls systemUptime or mach_absolute_time without a matching reason code.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix ITMS-91053 'Missing API declaration system_uptime'?
App Store Connect raises ITMS-91053 with the system_uptime symbol when the compiled binary calls NSProcessInfo.systemUptime without a matching reason code.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix ITMS-91053 'Missing API declaration' for UserDefaults?
App Store Connect blocks iOS uploads that touch UserDefaults without the right reason code. Picking the correct one fixes the rejection on the next archive.
Laurens Dauchy · May 17, 2026
- Privacy8 min
Why does ITMS-91053 say a provider is missing for UserDefaults?
The rejection email points at UserDefaults, but the missing provider is usually a third-party SDK that ships without a PrivacyInfo.xcprivacy file.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix ITMS-91056 invalid PrivacyInfo.xcprivacy keys?
Diagnose ITMS-91056 invalid PrivacyInfo.xcprivacy rejections by running plutil -lint in terminal, identifying the broken framework manifest, and rewriting keys.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix ITMS-91056 invalid keys with plutil in the terminal?
ITMS-91056 invalid keys can be caught before upload. Run plutil -lint and plutil -p against every PrivacyInfo.xcprivacy in your IPA from the terminal.
Laurens Dauchy · May 17, 2026
- Privacy8 min
Which invalid keys in PrivacyInfo.xcprivacy trigger ITMS-91056?
ITMS-91056 names invalid keys in a PrivacyInfo.xcprivacy file. Validate with plutil -lint, then diff the key names against Apple's published schema.
Laurens Dauchy · May 17, 2026
- Privacy8 min
Why does ITMS-91056 flag Reachability.framework's manifest?
Apple's upload validator rejects third-party privacy manifests when keys or values don't match the schema. Reachability.framework is one repeat offender.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix ITMS-91056 invalid privacy manifest ReachabilitySwift?
App Store Connect returns ITMS-91056 when the PrivacyInfo.xcprivacy file shipped inside ReachabilitySwift.bundle carries a key or value the schema does not accept.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Why does my Lovable app return 403 Forbidden on Supabase storage?
Lovable apps return 403 Forbidden on Supabase storage when no RLS policy on storage.objects grants INSERT to the role the frontend carries.
Laurens Dauchy · May 17, 2026
- AI-coded apps9 min
Which Lovable prompts add CSP and input sanitization manually?
Lovable does not configure CSP or input sanitization by default. Here are the prompts that add validation, DOMPurify, and security headers manually.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Should my Lovable app put tables in Supabase's private schema?
Lovable defaults to Supabase's public schema, which is exposed to the Data API. Here is when to move sensitive tables to a private schema instead.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
How do I keep my Postgres connection string out of Lovable?
The full Postgres URI bypasses every RLS policy. Keep it out of the Lovable frontend, push it through Supabase Edge Function secrets instead.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Why is my Lovable app hitting Supabase RLS error 403?
Lovable apps return 403 with Postgres code 42501 when the Supabase RLS policy for the INSERT command does not match the role the frontend actually carries.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Can I use a generic privacy policy for a Lovable app?
A generic template names no Supabase, Stripe, or AI provider, which fails Apple Guideline 5.1.1(i) and the third-party AI clause in 5.1.2(i).
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Lovable Security Scanner vs CodeWatchtower for RLS audits?
Lovable runs four checks inside the editor, CodeWatchtower runs SAST in VS Code. Here is what each catches, what each misses, and when to use both.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Why is my Lovable Supabase RLS not working?
Your Lovable app says save succeeded but the row never appears, or worse, every user reads every record. Here is what RLS in Supabase actually checks.
Laurens Dauchy · May 17, 2026
- Security8 min
Why did Apple reject my React Native app for App Transport Security?
Apple flags React Native builds shipping with NSAllowsArbitraryLoads true. Use targeted exception domains and a clean Info.plist, not a global opt-out.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why does 5.1.1(v) hit AI apps with Sign in with Apple?
What Guideline 5.1.1(v) really requires when your AI-coded app uses Sign in with Apple or Google, and how to ship a fix that passes review.
Laurens Dauchy · May 17, 2026
- App Store9 min
How do I clear an App Store 5.1.1 account deletion rejection?
Guideline 5.1.1(v) wants a real in-app delete path, not a support email. Here is what reviewers check and the exact gates a fix has to clear.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do I appeal an App Store rejection? (Sample letter)
When the Resolution Center thread is closed and the rejection still does not fit your app, the App Review Board appeal is the next step. Here is how to write it.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did Apple reject my AI app under Guideline 4.3?
Guideline 4.3 Design Spam is the most common Apple rejection for AI-generated apps in 2026. Here is what triggers it, and how to fix it.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do I fix an Apple Guideline 5.1.1 data collection rejection?
The rejection usually points at an undeclared SDK or an unanswered privacy question. Here is how to identify which one triggered the flag and clear it.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do I fix Guideline 5.2.2 for AI-generated assets?
App Review cites 5.2.2 when an AI asset reads as content from a third-party service. Here is what triggers it and the clean path to resubmit.
Laurens Dauchy · May 17, 2026
- App Store9 min
Why did Apple reject my app for hardcoded API keys?
Apple's security notices and 2.3 rejections flag hardcoded AWS, Firebase, or Stripe keys in your binary. The fix turns on rotation, not just code edits.
Laurens Dauchy · May 17, 2026
- Privacy8 min
How do I fix ITMS-91053 Missing API declaration on upload?
App Store Connect returns ITMS-91053 when the compiled bundle calls a required reason API and no PrivacyInfo.xcprivacy declares an approved reason.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do you fix ITMS-91053 Missing API Declaration?
App Store Connect rejects builds that touch certain system APIs without a privacy manifest entry. Here is how to fix ITMS-91053 in one submission.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Does Replit Agent handle environment variables securely?
Replit Secrets sit encrypted at rest, but Replit Agent can still leak them into client bundles, public Repls, or your .replit config. Here is what to audit.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Why does Replit Agent return 403 from Supabase on mobile?
A 403 from Supabase on a Replit Agent mobile build almost always traces to RLS, the anon key, or a misrouted SSL endpoint. Here is what to check first.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do I fix ITMS-90035 in a Replit Agent iOS build?
ITMS-90035 means the IPA is not signed with a valid Distribution certificate. Here is what triggers it in Replit-to-iOS exports, and the fix path.
Laurens Dauchy · May 17, 2026
- iOS8 min
Why does Replit Agent trigger ITMS-90035 Invalid Signature?
Replit Agent ships your iOS build through EAS, and ITMS-90035 usually traces back to a mis-signed bundle, an expired profile, or a sealed resource gap.
Laurens Dauchy · May 17, 2026
- App Store8 min
How do you fix ITMS-90035 after a Replit Agent IPA upload?
A step-by-step recovery workflow for ITMS-90035 invalid signature failures on Replit-to-iOS builds, covering codesign diagnostics, identity rotation, and re-upload.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Why does my Rork app fail with 'Error initializing Firebase' on iOS 18?
Six settled causes for the Rork Firebase init crash on iOS 18, from a missing GoogleService-Info.plist to the useFrameworks static flag, with diagnosis steps.
Laurens Dauchy · May 17, 2026
- Security8 min
Can App Store reviewers see my Supabase database content?
Apple Reviewers cannot read your Supabase tables directly, but the anon key in your IPA can. Here is what really exposes your database before launch.
Laurens Dauchy · May 17, 2026
- Security8 min
Does Apple review the source code of React Native apps?
Apple does not see source code. App Review runs static analysis on the IPA binary and the embedded JavaScript bundle for forbidden symbols and private APIs.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why did Apple reject my TestFlight build under 3.2(f) for deceit?
Apple cites 3.2(f) on TestFlight when a beta build hides features, gates them by region, or behaves differently for App Review than for real users.
Laurens Dauchy · May 17, 2026
- App Store8 min
Why is my build processing for 12+ hours in App Store Connect?
Processing usually clears in 10 to 30 minutes. Here is what 12 hours of yellow means, when to file Feedback Assistant, and the workaround that costs nothing.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
How do I hide .env keys in React Native when using Windsurf AI?
Windsurf can index your .env into Cascade context, and React Native bundles inline anything you import. Here is how to keep both layers honest.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Windsurf AI leaked my Google Maps API key. What do I do now?
Windsurf inlined the key into your mobile bundle and a stranger can read it. The fix is restrict the key, rotate it only if needed, then move secrets off the client.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Does Windsurf AI .env.local work for a mobile production build?
Windsurf writes code that reads .env.local at runtime. On a mobile production build, that file is gone and any inlined value sits in your compiled binary.
Laurens Dauchy · May 17, 2026
- Security8 min
How do I stop Windsurf Cascade from leaking data without my consent?
Cascade's read_url_content tool runs outbound HTTPS without approval. Here are the network, filesystem, and approval layers that actually block exfiltration.
Laurens Dauchy · May 17, 2026
- Security8 min
Why is Windsurf Cascade making HTTP requests without my consent?
Cascade's read_url_content tool ran outbound HTTPS without approval in 2025. Here is what the prompt injection looked like, and the fix to apply now.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Can a prompt injection in Windsurf Cascade leak my .env?
A hidden line in a README can hijack Windsurf Cascade into reading your .env and posting it to an attacker. Here is the attack, and how to stop it.
Laurens Dauchy · May 17, 2026
- AI-coded apps9 min
What is the real data exfiltration risk in Windsurf Cascade?
Five Windsurf vulnerabilities have shipped exfiltration paths through tool calls. Here is the risk picture for vibe-coded mobile builds in 2026.
Laurens Dauchy · May 17, 2026
- AI-coded apps9 min
Can Windsurf Cascade leak my .env via prompt injection?
A hidden instruction inside a single file can hijack Cascade into reading your .env and sending the secrets to a remote server. Here is the fix.
Laurens Dauchy · May 17, 2026
- AI-coded apps8 min
Does Windsurf Cascade write SQL injection into my code?
Cascade can ship raw string-concatenated SQL into your app. Here is how to spot the pattern and refactor every query to use parameters.
Laurens Dauchy · May 17, 2026
- AI-coded apps9 min
Did Windsurf put my AWS keys in the app bundle?
Windsurf can quietly write AWS access keys into a config or JavaScript bundle that ships to every user. Here is how to find them, and what to use instead.
Laurens Dauchy · May 17, 2026
- App Store12 min
App Store Connect Financial Reports Missing
App Store Connect financial reports missing on the first? Apple publishes them on its 4-4-5 fiscal calendar after the fiscal month closes, not on the calendar first.
Laurens Dauchy · May 16, 2026
- App Store11 min
How to Delete an App from App Store Connect (2026)
You can remove an app from App Store Connect only when it is not in a review state. A rejected or in-review app must be cleared first; the SKU and bundle ID cannot be reused.
Laurens Dauchy · May 16, 2026
- Security12 min
How to Pass VAPT Test for Android Apps
How to pass a VAPT test for Android apps: what the audit checks against OWASP MASVS, the common findings that fail it, and how to remediate and pre-scan.
Laurens Dauchy · May 16, 2026
- AI-coded apps11 min
Low-Code Apps & Firebase Auth: Wann "Service Roles" öffentlich sind
Die Firebase-Web-Konfiguration ist absichtlich öffentlich und sicher. Der Dienstkonto-Schlüssel des Admin SDK darf es nie sein und umgeht alle Security Rules.
Laurens Dauchy · May 16, 2026
- Google Play10 min
Google Playのアプリ審査が長い!期間と遅いときの対処法 (Google Play Review Taking Long? How to Fix)
Google Playのアプリ審査にかかる期間を、アップロードから公開まで、トラック別と新規アカウントの流れも含めて整理し、遅いときの対処法とサポート連絡の目安を解説します。
Laurens Dauchy · May 16, 2026
- Google Play11 min
Google Play Protect Appeal Taking Too Long
Google Play Protect appeal taking too long: how the appeal works, whether a human reviews it, how to submit a false-positive report, and what to do while you wait.
Laurens Dauchy · May 16, 2026
- Security12 min
Flag_Secure Doesn't Stop Everything: Screen Share Bypass on Android OS
FLAG_SECURE does not stop everything: it only protects the flagged window, so dialogs, notifications, PiP, and accessibility can leak. Bypass conditions and fixes.
Laurens Dauchy · May 16, 2026
- AI-coded apps8 min
Why does Apple reject Replit Agent apps? Common causes
Apple's 2026 enforcement around Guideline 2.5.2, 4.2 and 4.2.6 catches Replit Agent builds first. The rejection patterns and the specific fixes.
Laurens Dauchy · May 16, 2026
- App Store8 min
Why did Apple reject my AI app for 5.1.1(v) account deletion?
What Guideline 5.1.1(v) actually requires, why Cursor, Lovable and FlutterFlow auth scaffolds miss it, and how to ship a fix that passes App Review.
Laurens Dauchy · May 16, 2026
- Security8 min
Can Apple see my hardcoded secrets in a minified bundle?
Minification does not hide string literals. Every embedded API key stays visible in your IPA, and Apple's review queue is not looking for them.
Laurens Dauchy · May 16, 2026
- Security9 min
Can Apple see my hardcoded secrets in minified bundles?
Modern iOS apps ship many bundles at once: the main binary, extensions, App Clip, and JS chunks. None of them are reviewed for secrets.
Laurens Dauchy · May 16, 2026
- Security8 min
Does Apple check for hardcoded AWS credentials?
Apple App Review approves apps with embedded AWS access keys every week. The empirical gap between store review and real-world key leaks, explained.
Laurens Dauchy · May 16, 2026
- App Store8 min
Does Apple App Review check for hardcoded AWS S3 keys?
Apple's review process is policy-focused, not a security scanner. Why hardcoded AWS keys slip through, and the IPA scan you should run yourself before submission.
Laurens Dauchy · May 16, 2026
- App Store9 min
Does Apple App Review check for hardcoded Stripe secret keys in 2026?
Apple does not scan IPA binaries for Stripe sk_live_ tokens, but every iOS user with strings can. The pattern, the fix, and why Stripe itself wants you off secret keys entirely.
Laurens Dauchy · May 16, 2026
- App Store9 min
Does Apple review check for hardcoded AWS credentials?
Apple does not scan IPAs for AWS access keys, session tokens, or root account keys. Why every AWS credential type leaks through review, and the IAM patterns that close the gap.
Laurens Dauchy · May 16, 2026
- Security8 min
Does Apple review check for hardcoded Firebase endpoints?
Apple's review focuses on policy compliance, not backend URL extraction. Why Firebase project IDs ship visible in every IPA, and what actually protects them.
Laurens Dauchy · May 16, 2026
- App Store8 min
Does Apple scan for hardcoded Stripe secret keys?
Apple's automated scan is not the same thing as a credential scan. What Apple's static layer actually inspects, what it ignores, and the scanner you should run on your own IPA before submission.
Laurens Dauchy · May 16, 2026
- AI-coded apps9 min
Does Cursor AI hardcode my Stripe keys into generated code?
Cursor and similar AI tools often write Stripe secret keys directly into generated source, because hardcoded examples dominate the public training data.
Laurens Dauchy · May 16, 2026
- AI-coded apps8 min
Does Cursor AI save my hardcoded Stripe keys in the code?
Cursor's Privacy Mode is OFF by default on Free and Pro plans, which means prompts and code snippets reach Cursor's servers. What is stored, what is shared with model providers, and how to switch off.
Laurens Dauchy · May 16, 2026
- Privacy8 min
How do I fix ITMS-91053 NSPrivacyDiskSpace in my iOS build?
App Store Connect rejects builds that call disk-space APIs without a privacy manifest entry. The fix is one plist key plus the right reason code.
Laurens Dauchy · May 16, 2026
- Privacy8 min
How do I fix ITMS-91053 for the file timestamp API?
App Store Connect rejects iOS builds that call file timestamp APIs without a privacy manifest entry. The fix is one plist key with the right reason code.
Laurens Dauchy · May 16, 2026
- Privacy8 min
How do I fix Missing API declaration for system_boot_time?
App Store Connect rejects iOS builds that read systemUptime or mach_absolute_time without a privacy manifest entry. Add the right reason code.
Laurens Dauchy · May 16, 2026
- AI-coded apps9 min
Is the Supabase service_role key visible in Lovable apps?
If your Lovable.dev app initialises with the Supabase service_role key, it is visible to every visitor and bypasses every RLS policy. The fix order, and how to verify.
Laurens Dauchy · May 16, 2026
- Privacy8 min
How do I fix ITMS-91053 for the UserDefaults API?
App Store Connect rejects iOS builds that read or write UserDefaults without a privacy manifest entry. The fix is one plist key with the right reason code.
Laurens Dauchy · May 16, 2026
- AI-coded apps9 min
Why is USING (true) the riskiest RLS policy in Lovable.dev?
USING (true) makes a Supabase table public to any visitor with the anon key. Lovable's scanner sees a policy and gives it a green check.
Laurens Dauchy · May 16, 2026
- AI-coded apps10 min
Lovable.dev Supabase RLS bypass: how it happens, how to fix it
The CVE-2025-48757 attack vector that exposed 170+ Lovable apps, why Lovable's own security scan misses it, and the policy patterns that actually close the gap.
Laurens Dauchy · May 16, 2026
- AI-coded apps10 min
Lovable.dev exposed your Supabase service_role key. What now?
The exact rotation order when a Lovable.dev project shipped the Supabase service_role key, plus the recovery steps Lovable's incident response page omits.
Laurens Dauchy · May 16, 2026
- AI-coded apps9 min
Why my Lovable Supabase data is still public even with RLS enabled
Enabling Row Level Security is not the same as writing a policy that filters anything. Why USING (true) is the AI's default, and the patterns that actually scope access.
Laurens Dauchy · May 16, 2026
- App Store8 min
Replit Agent ITMS-90078 error: what it actually means, and the fix
ITMS-90078 is the Missing Push Notification Entitlement error, not missing icon. Why Replit Agent builds trigger it, and the two fixes that pass App Store validation.
Laurens Dauchy · May 16, 2026
- AI-coded apps9 min
Supabase anon key vs service_role key: which goes where
What each Supabase API key actually does, why one is safe in the client and the other is not, and what changed with the new sb_publishable and sb_secret formats.
Laurens Dauchy · May 16, 2026
- AI-coded apps9 min
Supabase RLS is on but SELECT is true for all: am I exposed?
What a PERMISSIVE policy with USING (true) actually does, why AI builders like Cursor and Lovable default to it, and how to spot every one in your project.
Laurens Dauchy · May 16, 2026
- AI-coded apps9 min
Supabase RLS enabled but SELECT is true for everyone, am I leaking?
What permissive policies actually do in Postgres, why AI coding agents reach for USING (true), and the checks that decide whether your data is public.
Laurens Dauchy · May 16, 2026
- Security9 min
The 10-minute mobile app security checklist
Ten checks every Android or iOS app should pass before launch — what to scan for, why each one matters, and the order to fix them in.
Laurens Dauchy · May 16, 2026
- App Store12 min
Export Compliance Information Required (App Store)
Export Compliance Information Required means your build must declare its encryption. HTTPS and Apple OS crypto are exempt, so most apps qualify. Set the Info.plist key.
Laurens Dauchy · May 15, 2026
- Google Play12 min
Google Play Update Stuck in Review (How to Expedite)
Google Play update stuck in review? There's no expedite button. Check Managed Publishing first, and why unpublishing or resubmitting won't help.
Laurens Dauchy · May 15, 2026
- Google Play12 min
How Long Does Google Play Production Review Take in 2026?
Google Play production review runs up to 7 days in 2026, often faster. But new accounts wait 14 days on closed testing first, and closed beta won't speed it up.
Laurens Dauchy · May 15, 2026
- Google Play12 min
What is Managed Publishing in Google Play Console?
Managed Publishing lets you control when approved Google Play changes go live. It doesn't delay review, only the publish step. How to turn it on and off.
Laurens Dauchy · May 15, 2026
- App Store13 min
Guideline 4.0: Wenn Apple Ihre App Wegen "Design" Ablehnt
Apple lehnt Ihre App unter Guideline 4.0 wegen Design ab? Was die Ablehnung auslöst, ob die Live-App betroffen ist, was zu ändern ist und wie der Einspruch geht.
Laurens Dauchy · May 14, 2026
- App Store11 min
Is App Store Connect ICP Filing Required for China?
Is ICP filing required for the mainland China App Store? Yes. Whether you need a Chinese business, whether you can skip it, and how the filing works.
Laurens Dauchy · May 14, 2026
- Google Play11 min
Google Play Pending Publication Taking Too Long (Fix)
Google Play pending publication taking too long: what it means, how it differs from in review, how long it takes, whether you can speed it up, and what to check.
Laurens Dauchy · May 13, 2026
- App Store12 min
Error ITMS-90189: Redundant Binary Upload (Fixed)
ITMS-90189 is the Redundant Binary Upload error, not a bundle identifier error. Why your build number is already taken, and how to increment it and re-upload.
Laurens Dauchy · May 13, 2026
- Security12 min
Google Play Protect vs Third Party Antivirus (Android)
Google Play Protect vs third-party antivirus on Android: what each covers, whether Play Protect blocks everything, false positives, and which you actually need.
Laurens Dauchy · May 13, 2026
- App Store9 min
土日も行われる?2026年最新のApp Store審査時間まとめ
App Storeの審査は土日も行われるのか、2026年の審査時間の目安、週末や祝日は遅くなるのか、金曜の大型アップデートの出し方を解説します。
Laurens Dauchy · May 12, 2026
- AI-coded apps12 min
Les Dangers du Vibe-Coding : Protéger Vos Clés API Sur Les Apps Générées (Lovable)
Pourquoi le vibe-coding (Lovable, React Native) expose des clés API, quelles clés sont sûres côté client, et comment protéger vos secrets et vérifier le build.
Laurens Dauchy · May 12, 2026
- App Store12 min
How to Update App Store Connect API Key
Update your App Store Connect API key by generating a new one, swapping the Key ID, Issuer ID, and .p8 into CI or Fastlane, verifying, then revoking the old key.
Laurens Dauchy · May 12, 2026
- Security12 min
Android Security Risks: OWASP Zip Slip Path Traversal (Guide)
Zip Slip is a path traversal bug where an Android app trusts archive paths, so a malicious entry escapes the extraction folder. How it works, the fix, and detection.
Laurens Dauchy · May 11, 2026
- AI-coded apps12 min
Lovable e Inteligência Artificial: Perigos da Migração sb_publishable na Supabase
Migração sb_publishable na Supabase em apps Lovable: o que significa, por que é perigosa com IA, a diferença para a sb_secret e o que verificar primeiro.
Laurens Dauchy · May 11, 2026
- Google Play11 min
Google Play Developer Payment Declined India (RBI Fix)
Why your Google Play developer registration payment is declined in India, the RBI and card rules behind it, which cards work, and how to fix it.
Laurens Dauchy · May 11, 2026
- Google Play12 min
Google Play Rejected for Malicious Behavior
Google Play rejected your app for malicious behavior? The usual cause is a flagged third-party SDK. How to find it, fix it, and appeal a false positive.
Laurens Dauchy · May 11, 2026
- Security12 min
Android FLAG_SECURE Not Working on Screen Record
FLAG_SECURE not blocking screen recording? Setup mistakes, emulator false alarms, Xiaomi and Samsung OEM overrides, MediaProjection quirks, and how to test it.
Laurens Dauchy · May 11, 2026
- App Store11 min
"En Cours D'examen" Apple Store Trop Long : Guide pour Développeurs
Pourquoi votre app reste bloquée en 'En cours d'examen', combien de temps est normal, ce qui ralentit l'examen, si un nouvel envoi relance le compteur et quand contacter Apple.
Laurens Dauchy · May 10, 2026
- iOS12 min
iOS Privacy Permissions Explained (Official Docs)
How iOS privacy permissions work: runtime consent prompts, the Info.plist usage-description keys each resource needs, the ATT tracking prompt, and least privilege.
Laurens Dauchy · May 10, 2026
- Builders12 min
Fastlane Match Decrypt Certificate Failed (Incorrect Password)
Fastlane match could not decrypt or incorrect password? Check the passphrase, fix OpenSSL version errors, and when to nuke and recreate your certificates.
Laurens Dauchy · May 10, 2026
- Security13 min
MediaProjection Screen Recording Bypass Android 14
On Android 14, FLAG_SECURE blocks MediaProjection screen recording, so secure screens record blank. Bypassing it needs a rooted device with Xposed. What that means.
Laurens Dauchy · May 10, 2026
- Google Play11 min
Internal Testing vs Closed Testing on Google Play
Internal vs closed testing on Google Play: which is faster, which requires testers (now 12, not 20), how they differ, and when to use each on the way to production.
Laurens Dauchy · May 10, 2026
- AI-coded apps12 min
Does Cursor AI Store My Code in the Cloud? (Privacy)
Does Cursor AI store your code in the cloud? How Privacy Mode, codebase indexing, and zero data retention work, and how to protect proprietary code.
Laurens Dauchy · May 9, 2026
- App Store11 min
App TestFlight Bloquée Sur "En Attente d'Examen" : Comment Avancer
Votre build TestFlight reste bloqué en 'En attente d'examen' ou est refusé: ce que le statut signifie, combien de temps est normal et comment faire avancer la validation.
Laurens Dauchy · May 9, 2026
- Builders12 min
Command PhaseScriptExecution Failed in React Native (Fix)
Command PhaseScriptExecution failed in React Native usually means Xcode can't find node. Read the real error, set NODE_BINARY in .xcode.env.local, and fix the cause.
Laurens Dauchy · May 8, 2026
- App Store12 min
Is App Store Connect Privacy Policy URL Required?
Yes, App Store Connect requires a privacy policy URL for every app. It must be publicly accessible and accurate. You can use a free generator and host it on Notion.
Laurens Dauchy · May 8, 2026
- Security12 min
FLAG_SECURE Android Bypass Techniques
FLAG_SECURE Android bypass techniques explained defensively: whether Frida and Magisk modules can disable it, why they need a rooted device, and how to harden.
Laurens Dauchy · May 8, 2026
- App Store11 min
Tiempos de Revisión App Store 2026: Cuánto Tarda Realmente Apple
Cuánto tarda realmente Apple en revisar una app en 2026, qué significan los estados, por qué se retrasa, qué revisar primero y cuándo pedir una revisión acelerada.
Laurens Dauchy · May 7, 2026
- App Store11 min
Promotional Text vs What's New (App Store Connect)
Promotional Text updates any time with no review; What's New is version release notes tied to an update. Which triggers an update and which is indexed, explained.
Laurens Dauchy · May 7, 2026
- Google Play12 min
Google Play Console Closed Testing Requirements
Google Play closed testing needs at least 12 testers opted in for 14 consecutive days on a personal account. How to find testers, opt-in links, and the rules.
Laurens Dauchy · May 7, 2026
- Google Play12 min
Blocked by Play Protect Warning (Red Screen Fix)
Blocked by Play Protect red screen: what the warning means, why your own app triggers it, the role of suspicious SDKs and permissions, and how to submit an appeal.
Laurens Dauchy · May 7, 2026
- Google Play12 min
Google Play App Stuck in Review? Why & How to Fix It
Is your Google Play app stuck in review? Whether to wait, cancel, or resubmit, how to contact Google, and when escalating actually helps.
Laurens Dauchy · May 7, 2026
- Security12 min
Android Certificate Pinning Bypass Tutorial
How to test Android certificate pinning on your own app, why it can be bypassed, OkHttp vs TrustKit, and how to harden it for authorized security testing.
Laurens Dauchy · May 7, 2026
- App Store12 min
TestFlight Internal vs External Testers (Differences)
TestFlight internal testers: up to 100 team members, no Beta App Review. External: up to 10,000 people whose first build needs review. When to use each.
Laurens Dauchy · May 6, 2026
- App Store11 min
Error ITMS-90482: Bitcode is No Longer Supported
ITMS-90482 means your build still contains bitcode, which Apple dropped in Xcode 14. Set ENABLE_BITCODE to NO and update or strip any third-party framework with it.
Laurens Dauchy · May 6, 2026
- Google Play11 min
How to Get 20 Testers for Google Play (Free Methods)
How to get the 12 (formerly 20) Google Play testers for free: your network, reciprocal tester-exchange groups, and a Google Group, plus whether family counts.
Laurens Dauchy · May 5, 2026
- Google Play12 min
Google Play Console Unity 3D SDK Data Collection Warning
The Unity SDK data collection warning means a Unity service (Ads or Analytics) collects data your Data safety form omits. Declare it, or remove the unused service.
Laurens Dauchy · May 5, 2026
- App Store12 min
Why is My App Stuck in "In Review" (Apple 2026)
App stuck in In Review on Apple? Why it takes longer, whether reviewers read your code line by line, if you should cancel, and when to contact App Review instead.
Laurens Dauchy · May 5, 2026
- App Store11 min
App Store Connect Screenshot Dimensions (2026)
App Store screenshot dimensions for 2026: the required 6.9 or 6.7 inch iPhone set, the 13 inch iPad Pro set, why 6.5 inch is no longer separate, and format rules.
Laurens Dauchy · May 5, 2026
- App Store12 min
App Store Rejection: Push Notification Spam (Guideline 4.5.4)
App Store push notification spam rejection under guideline 4.5.4: marketing vs transactional pushes, the explicit opt-in requirement, and how to fix and resubmit.
Laurens Dauchy · May 5, 2026
- App Store11 min
Apple In-App Purchases: "Acción del Desarrollador Requerida" (Soluciones)
Qué significa Acción del desarrollador requerida en una compra dentro de la app de Apple, por qué bloquea la revisión y cómo corregirlo paso a paso.
Laurens Dauchy · May 5, 2026
- Security12 min
Menaces Front-end : Les Bots Qui Scannent Les Clés API React Native
Des bots scannent GitHub et les bundles à la recherche de clés API React Native et les exploitent en minutes. Comment ils opèrent, et comment protéger vos secrets.
Laurens Dauchy · May 5, 2026
- App Store12 min
App Store Waiting for Review Too Long (2026 Fixes)
App Store stuck on Waiting for Review too long? Why it is usually queue time, how long is normal, whether to expedite, and why not to cancel and resubmit.
Laurens Dauchy · May 5, 2026
- AI-coded apps11 min
How to Hide API Keys in Cursor AI Development
How to hide API keys in Cursor: keep them server-side, set up a git-ignored .env, use .cursorignore and Privacy Mode, and never expose a key in the frontend.
Laurens Dauchy · May 4, 2026
- App Store11 min
App Store Connect Age Rating Appeal Process
App Store age rating: how the questionnaire sets it, how unrestricted web access and user-generated content raise it, and how to correct or appeal a rating.
Laurens Dauchy · May 4, 2026
- AI-coded apps12 min
Los Bots Ya Buscan las Contraseñas Supabase Expuestas Por Desarrollos Cursor JS
Los bots ya rastrean claves Supabase expuestas en el código JS que genera Cursor. Qué clave importa, cómo las explotan y cómo evitar la fuga en tu flujo con IA.
Laurens Dauchy · May 4, 2026
- App Store11 min
How to Escalate App Store Review Delays
How to escalate App Store review delays: confirm it is stuck, contact the review team, request an expedited review, and what expedite limits and support cover.
Laurens Dauchy · May 4, 2026
- App Store11 min
Is the App Store Connect Marketing URL Actually Required?
No, the App Store Connect Marketing URL is optional, not required. If you have no website leave it blank, but a broken URL you do add can cause a metadata rejection.
Laurens Dauchy · May 3, 2026
- App Store11 min
App Version Number vs Build Number (iOS & Android)
Version number vs build number on iOS and Android: what each means, CFBundleVersion vs versionCode, whether you need semantic versioning, and the store rules.
Laurens Dauchy · May 3, 2026
- Google Play11 min
Google Play Queue Maps: Pending Publication vs In Review (Wait Limits)
The difference between In Review and Pending Publication on Google Play, how long each should take, why an update gets stuck, and how to unblock it.
Laurens Dauchy · May 3, 2026
- Google Play11 min
Fixing Fastlane Supply App Bundle Play Console Timeouts
A Fastlane supply timeout uploading to Play Console is a network, bundle-size, or service-account auth problem. Check CI connectivity, the bundle size, and the key.
Laurens Dauchy · May 3, 2026
- App Store11 min
iOS App Privacy Nutrition Label Generator
No auto-generator exists for the iOS Privacy Nutrition Label; you self-declare it in App Store Connect. Include third-party SDK data; use the privacy manifest report.
Laurens Dauchy · May 3, 2026
- Google Play11 min
Google Play Console Age Rating Rejected (How to Fix)
A Google Play age-rating rejection means your IARC questionnaire doesnt match your app. Re-take it, declaring user-generated content, ads, and real violence levels.
Laurens Dauchy · May 2, 2026
- App Store11 min
How to Check App Store Name Availability (2026)
How to check App Store name availability by reserving it in App Store Connect, whether two apps can share a name, and the 30-character name and subtitle limits.
Laurens Dauchy · May 2, 2026
- AI-coded apps12 min
Supabase sb_publishable Migration & Bypass Errors Explained
Supabase's sb_publishable and sb_secret keys replace anon and service_role. Why you get Invalid JWT errors, what --no-verify-jwt does, and when it's safe.
Laurens Dauchy · May 2, 2026
- App Store11 min
Mi bundle ID ya existe en otro lado: la transferencia de Apple Developer falló
El bundle ID pertenece a un solo equipo de Apple y no se repite. Si la transferencia falla, quita el conflicto en la cuenta receptora o usa uno nuevo.
Laurens Dauchy · May 1, 2026
- Google Play12 min
App Not Visible in Google Play Store After Publishing (Fix)
App not visible in Google Play after publishing? Search indexing time, device cache, country availability, staged rollouts, and device compatibility, each fixed.
Laurens Dauchy · May 1, 2026
- App Store11 min
Does Apple App Review Work on Holidays?
Does Apple App Review work on holidays? Yes, seven days a week, though the late-December Christmas window has reduced activity. Thanksgiving, weekends, and planning.
Laurens Dauchy · May 1, 2026
- AI-coded apps12 min
How to Hide Supabase API Keys in React
You can't hide the Supabase anon key in React, and you don't need to. Secure the public key with Row Level Security and keep the secret key behind a backend proxy.
Laurens Dauchy · May 1, 2026
- AI-coded apps12 min
Segurança React Native: Vazamento do sb_publishable na Supabase
A chave sb_publishable no seu app React Native publicado não é um vazamento: ela é pública por design. O perigo real é a falta de RLS e a chave sb_secret.
Laurens Dauchy · May 1, 2026