Does Apple actually log into my backend with my demo account?

Yes, that is the standard path. The reviewer takes the demo credentials you entered in the App Review Information section of App Store Connect, taps the sign-in flow in your submitted build, and the device authenticates against the same backend your production users hit. Apple does not inspect your server, but the responses your backend returns shape what the reviewer sees on screen and what gets flagged.

Can Apple see the source code in my GitHub repo?

No. There is no step in the App Store Connect submission flow where you hand over a repository, a deploy URL, or a CI token. Apple reviews the compiled binary you upload and observes its network behavior on a test device. Articles suggesting reviewers audit your backend codebase are wrong. The privacy of your server source is the same after submission as before it.

If my backend goes down during App Review, will Apple reject the build?

Almost certainly, under Guideline 2.1 App Completeness. The reviewer sees a blank screen, a stuck loading state, or a retry message, and the rejection does not distinguish between a bug in your code and a Firebase or AWS outage. A 2023 Apple Developer Forums thread on Firebase Storage and reviewer WiFi shows the pattern. Run a status monitor on your demo endpoints for the duration of the review window.

Can I use remote config to change my app after Apple approves it?

Within limits. Per Guideline 2.5.2, apps cannot download code that introduces or changes features after review. Remote config that adjusts copy, colors, or non-functional A/B tests usually sits inside the safe lane. Toggling whole features that a reviewer never saw, especially anything Apple would have flagged if visible, has produced rejection messages citing 2.5.2 and section 3.3.2 of the Apple Developer Program License Agreement.

Do App Review devices test from specific IP ranges I should whitelist?

Apple does not publish the IP ranges used by App Review. Developers on the Apple Developer Forums report seeing Cupertino and Sacramento ranges in their access logs during review windows, but those reports are observational and the ranges change. A safer practice than whitelisting is removing aggressive rate limits and geofences on the endpoints your demo account hits for the duration of the review.

Does Apple App Review actually check your server-side code?

If you have a Node service, a Supabase project, or a Rails API sitting behind your iOS app, the question of whether Apple App Review actually looks at it has been quietly bothering builders for years. The short version is that Apple cannot see your server source, but the reviewer device absolutely talks to your backend, and the consequences of that conversation decide whether your build ships.

Short answer

Apple App Review does not read your server-side source code or open your repository. What reviewers do is run your submitted binary on a real device and watch the responses your backend returns. According to Apple's App Review Guidelines, apps must be self-contained per Guideline 2.5.2 and must not include hidden or dormant features per Guideline 2.3.1. Both are enforced by observing the live app, not by inspecting your server.

What you should know

Apple has no access to your server source. GitHub, GitLab, Bitbucket, AWS, Vercel, Supabase: none of these are visible to App Review.
Reviewers test the binary against your live backend. The Notes for Review demo account hits your actual production or staging environment, and reviewers observe what comes back.
Hidden behavior controlled from the backend can get you rejected. Guideline 2.5.2 forbids changing app functionality after submission, including via downloaded code or undisclosed remote toggles.
Apple's testing IPs are not published. The Cupertino and Sacramento reviewer ranges are reported by developers, not confirmed by Apple. Backend rate-limiting can block reviewers without warning.
Backend reliability during review is your problem, not Apple's. A Firebase outage during the review window can produce a Guideline 2.1 rejection even if your code is correct.
Demo accounts must hit a live backend. The account credentials you paste into App Store Connect have to authenticate against the same backend the production app will use.

What does Apple actually see from your backend during review?

The short answer is: the same thing your iPhone sees. The reviewer signs in with the demo credentials you provided, taps through the app, and the device makes HTTPS calls to whatever endpoints your bundle is pointing at. Apple does not export your traffic, decompile your responses, or inspect your server logs. The view is the same as any user device, opaque HTTPS to your domain, and a rendered UI on top.

Per Apple's Preparing for App Review documentation, the demo account and any special configurations have to be valid and functional. The implication is that the backend behind those credentials is part of what gets tested. If the backend returns 500s during the review window, the reviewer sees an empty screen and your build comes back rejected under Guideline 2.1 for app completeness, regardless of where the actual fault lives.

The limit on this reading is that the reviewer's investigation depth is not published. There is no Apple statement on whether reviewers proxy your traffic, run mitmproxy, or simply observe the rendered output. Based on patterns reported on the Apple Developer Forums, the default appears to be the simpler observation path: open the app, use it, check that the disclosed functionality matches what is visible.

Why does Apple care about server behavior if it cannot read the code?

Because what the server does shapes what the app does. Guideline 2.3.1 tells you that your app's functionality should be clear to end users and App Review, and that all features must be accessible for review. A backend that hides features behind a flag the reviewer never sees, or shows different content depending on geo or IP, defeats that requirement at the protocol level.

The cleaner version of the rule is Guideline 2.5.2. It says apps should be self-contained in their bundles and may not download, install, or execute code which introduces or changes features or functionality of the app. Server-driven UI, remote config that toggles whole flows, and feature-flag systems that ship a different app to reviewers than to real users all sit inside that prohibition or close enough to it that reviewers can flag them.

The mechanism that gets people caught is not Apple reading the server. It is the reviewer seeing one app, a TestFlight tester or a community member seeing a different one, and the discrepancy getting reported. Apple's rejection messages on this pattern, visible in the 2017 hot code push warning thread on the Apple Developer Forums and ongoing thereafter, cite both 2.5.2 and section 3.3.2 of the Apple Developer Program License Agreement.

What types of backend behavior get builds rejected?

The taxonomy that comes up repeatedly on the Apple Developer Forums looks like this.

Server pattern	What the reviewer sees	Likely guideline
Backend returns 500 during review	Blank screen, retry message, crash	2.1 App Completeness
Feature flag hides paid flow from reviewer IP	App appears free, then charges users	2.3.1 Accurate Metadata
Remote config swaps the UI after approval	Different app than the reviewed build	2.5.2 Software Requirements
Geofencing blocks reviewer location	Empty home screen, missing features	2.1 or 2.3.1
OAuth callback domain blocked at review	Sign-in loop, cannot enter the app	2.1 or 5.1.1
Rate limit blocks reviewer IP	Errors after a few taps	2.1 App Completeness
Demo account expired or revoked	Login fails	2.1 App Completeness

None of those rejections require Apple to read your server. All of them happen because the visible behavior on the reviewer device does not match the description in App Store Connect or contradicts an active guideline. The fix is not server obfuscation, it is making the backend deterministic during the review window.

How should you prepare your server for a reviewer hitting it?

Five practical steps cover most of the failure modes mobile developers I advise actually hit.

First, lock the demo account to a stable data state. The credentials you paste in App Store Connect should resolve to a populated account that does not get deleted by a nightly job or expire after a trial period. Per Apple's Preparing for App Review guidance, demo credentials must be valid and functional, and a reviewer hitting an empty or expired account counts as a 2.1 rejection.

Second, disable IP-based gating during the review window. Geofencing, country blocks, and review-only feature flags driven by IP all carry the risk of either accidentally blocking the reviewer or accidentally giving them a different app. The simplest practice is to feature-detect on the account, not on the IP.

Third, instrument your backend for the review window. A dashboard that shows 4xx and 5xx rates against the demo account's endpoints, plus alerts for the duration of the review, catches the Firebase-style outage where the reviewer's network blocks a third-party CDN even though end users have no problem.

Fourth, write the Notes for Review section with backend specifics. If your app needs to hit a particular region's API, document it. If a feature requires a background job that runs every fifteen minutes, document that too. Reviewers do not read your server, but they do read your notes.

Fifth, run an external scan on the compiled binary before you upload. For builders who want an automated read of what their compiled app is sending where, PTKD.com (https://ptkd.com) is one of the platforms focused on pre-submission scanning aligned with OWASP MASVS for no-code and vibe-coded apps. Knowing the domains and endpoints your build calls before Apple does removes a class of surprise rejections that come from forgotten SDKs hitting unexpected servers.

Can you use feature flags or remote config without getting rejected?

Yes, with discipline. The cleanest reading of Guideline 2.5.2 is that remote config is fine when it adjusts visible, disclosed functionality (A/B copy, color tweaks, server-side pricing in a payment provider) and dangerous when it ships dormant features that activate post-review.

The boundary cases that have produced rejection messages in 2024 and 2025, per posts on the Apple Developer Forums, share two features: the flag changed something the reviewer would have flagged if visible (gambling-adjacent flows, age-gated content, payment routes that bypass StoreKit), and the change happened after the reviewed build went live. A flag that simply switches the home screen layout based on a Growthbook experiment is in a different lane than a flag that turns on a feature Apple explicitly bans.

The honest answer is that Apple does not publish a flag-versus-no-flag policy. The pattern is that the more your remote config diverges from what App Review saw, the higher the risk that an update or a user report triggers a re-review and a 2.5.2 citation. Treat remote config as a tool for non-functional adjustments and disclosure-driven feature work, not as a way to ship things you do not want a reviewer to see.

What to watch out for

The first trap is assuming Apple sees your repo. They do not. There is no submit your GitHub URL step in the App Store Connect flow, and the reviewer has no view into your CI, your secrets, or your branches. What they have is the binary, the App Store Connect metadata, and the network conversation that the binary initiates on their test device. Articles that imply otherwise are wrong.

The second trap is the inverse: assuming Apple sees nothing of your server. They see everything your app surfaces. If your iOS app loads a WebView pointing at your domain, that domain is part of the review surface. If your app calls a Stripe Checkout URL inside a SafariViewController for a digital good, the reviewer notices and Guideline 3.1.1 applies, even though the code that made the decision lives on your server.

The third trap is treating reviewer IPs as known constants. Developers on the Apple Developer Forums share IP ranges that show up in their access logs during review windows (often Cupertino or Sacramento ranges), but Apple has never confirmed those ranges and they change. A rate limiter or WAF tuned aggressively can block reviewer traffic without you noticing, and the rejection that follows looks like generic 2.1 instability.

Key takeaways

Apple App Review does not read your server source code. What they read is the binary you submitted and the responses your backend returns to a reviewer device during the review window.
Server-side behavior is reviewed by observation, not inspection, which means the rules that bite are about visible discrepancy: hidden features in 2.3.1, post-review functionality changes in 2.5.2, and backend instability surfacing as 2.1.
The practical defense is a stable demo account, disclosed remote behavior in Notes for Review, and IP-agnostic feature gating during the review window so a Sacramento test device sees the same app as everyone else.
Some builders outsource the pre-submission read of their compiled binary, including the list of domains and SDKs it actually contacts, to platforms like PTKD.com (https://ptkd.com) so that the network surface Apple is about to see is already understood before upload.