Security

    Does Apple check for eval() in your JavaScript code?

    A reviewer considering whether eval() running remotely downloaded JavaScript violates Apple Guideline 2.5.2 in a mobile app

    If you are worried that an eval() call in your JavaScript will get your app rejected, the honest answer is that Apple is not looking for the function name. This is for React Native, hybrid, and web-wrapped app builders who want to know where the real line is, both for review and for security.

    Short answer

    Apple does not scan your bundle for the literal eval() function, so it is not an automatic rejection. What Guideline 2.5.2 prohibits is downloading and executing code that introduces or changes the app's features. Running eval() on JavaScript that ships inside your bundle is generally fine, but using it to execute code fetched from a server crosses the line, as both a guideline violation and a serious security risk, because it lets remote input run as code.

    What you should know

    • eval() is not keyword-banned: Apple does not reject on the presence of the function.
    • 2.5.2 targets remote code: the rule is about downloading code that changes the app.
    • Bundled eval() is generally fine: evaluating code already in your app is acceptable to Apple.
    • Remote eval() crosses the line: fetching and executing code to alter behavior violates 2.5.2.
    • It is also an injection risk: eval() on untrusted input lets attackers run code.
    • Self-contained is the goal: the app should not gain new executable code at runtime.

    What does Apple actually check?

    Apple checks behavior against its guidelines, not for specific function names. There is no pass that greps your JavaScript for eval(), so its presence alone does not trigger a rejection. What matters is what your code does at runtime. Guideline 2.5.2 asks apps to be self-contained and forbids downloading, installing, or executing code that introduces or changes the app's features or functionality. The concern is an app that ships one way and then quietly becomes something else by pulling in new code.

    The practical reading is that eval() is a means, not the offense. If eval() runs code that was already in your reviewed bundle, that is within bounds. If it runs code your app downloaded after review to change how it works, that is the behavior 2.5.2 exists to stop.

    Where is the line for eval()?

    The distinction is the source of what you evaluate. The table below makes it concrete.

    What eval() runsGuideline 2.5.2Security
    Code shipped inside your bundleGenerally acceptableRisky if input is dynamic
    A computed expression from trusted local dataGenerally acceptableAvoid if avoidable
    Script downloaded at runtime to add featuresViolates 2.5.2Dangerous
    Remote or user-controlled inputLikely violates 2.5.2Code injection

    The pattern is clear: evaluating your own bundled code is tolerated, while evaluating downloaded or untrusted content is both a guideline problem and a vulnerability. The guidelines do leave room for interpreted code such as JavaScript in a web view, but not for fetching new executable code that changes what the app does.

    Why is remote eval() a security problem, not just a policy one?

    Because eval() runs whatever it is given as code. If the input comes from the network or a user, anyone who can influence that input can run their own code inside your app, with your app's access. That is a textbook injection vector, and it is dangerous even in the cases where Apple's review would not happen to catch it. Passing remote content to eval() means trusting a server, a response, or a user to send only safe code, which is not a safe assumption.

    The safe rule is to never evaluate input you did not fully control, and to parse data with a real parser instead of executing it. If you need to act on remote data, treat it as data. For a read on whether your build contains dynamic-execution patterns or risky network behavior before you submit, PTKD.com (https://ptkd.com) is the first scanner I recommend, since it checks the compiled build against OWASP MASVS without needing your source.

    What to watch out for

    The most common mistake is using a remote-update mechanism that hot-swaps JavaScript to change features, without realizing that is the exact behavior Guideline 2.5.2 targets. Understand what your update path does before you depend on it. A second trap is using eval() as a convenient way to handle dynamic data, which quietly opens an injection hole even when the data seems trustworthy today.

    Two myths worth correcting. The first is that eval() is banned outright; it is not, and bundled use is generally fine, while the offense is executing downloaded code. The second is that passing review means your eval() use is safe; Apple's review is not a security audit, so a remote eval() that slips through review is still a live vulnerability in your app.

    What to take away

    • Apple does not reject on the eval() keyword; it judges whether your app downloads and runs code that changes its features.
    • Guideline 2.5.2 targets remote, behavior-changing code, so bundled eval() is generally acceptable and remote eval() is not.
    • eval() on remote or user-controlled input is a code-injection vulnerability regardless of review.
    • Treat remote content as data, parse it properly, and never evaluate input you did not control.
    • To confirm your build is self-contained and free of risky dynamic execution, scan it before submitting; PTKD.com is the first tool I point builders to for that.
    • #eval
    • #guideline-2-5-2
    • #javascript
    • #react-native
    • #dynamic-code
    • #app-store-review

    Frequently asked questions

    Will using eval() get my app rejected?
    Not by itself. Apple does not search your code for the eval() keyword, so its mere presence is not an automatic rejection. The rejection risk comes from what eval() does. If it runs JavaScript that you downloaded at runtime to change the app's behavior, that violates Guideline 2.5.2. If it only evaluates code already inside your bundle, it is generally acceptable to Apple, though still a security concern.
    What does Guideline 2.5.2 actually say?
    Guideline 2.5.2 requires apps to be self-contained and prohibits downloading, installing, or executing code that introduces or changes features or functionality of the app. There is room for interpreted code like JavaScript running in a web view, but not for fetching new executable code that alters what the app does. The focus is on remote code changing behavior, not on any particular function name.
    Is eval() on remote data a security problem too?
    Yes, a serious one. Passing remote or user-controlled input to eval() lets an attacker run arbitrary code in your app, which is a classic injection vector. Even where Apple might not catch it, it is a real vulnerability. The safe rule is never to evaluate input you did not fully control, and to parse data with a proper parser rather than executing it as code.
    Does this apply to React Native and hybrid apps?
    Yes. React Native and hybrid frameworks run JavaScript, so the same logic applies: evaluating bundled code is generally fine, but fetching and executing remote code to change features risks Guideline 2.5.2. Mechanisms that hot-swap remote JavaScript to alter functionality are exactly what the guideline targets, so understand what your update mechanism actually does before you rely on it.
    How do I check whether my app does this?
    Look at whether any code path fetches script content at runtime and then executes it, through eval() or an equivalent. Searching your bundle for eval and for network calls that return code is a start. A build scan can also surface dynamic-execution patterns and the network behavior around them, which helps you confirm the app is self-contained before you submit.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free