Guideline 4.7 is the rule that lets an app host content it did not ship in its binary, HTML5 mini games, mini apps, chatbots, plug-ins, and it comes with strict conditions. If you are building a super-app or a platform that runs third-party mini apps, 4.7 is the guideline that governs you, and the central technical requirement is that this software runs only in WebKit and JavaScriptCore, with no access to native APIs. You are also responsible for everything those mini apps do. Here is what 4.7 allows and the conditions you must meet.
Short answer
Guideline 4.7 allows apps to offer software not embedded in the binary, specifically HTML5 and JavaScript mini apps and mini games, streaming games, chatbots, and plug-ins, subject to conditions in 4.7.1 through 4.7.5. Per Apple's software guideline, the software must use only capabilities available in a standard WebKit view and JavaScriptCore, without extending or exposing native platform APIs; must be free or use in-app purchase; and must not provide real-money gaming, lotteries, or charitable donations. You are responsible for ensuring all such software complies with the guidelines and applicable laws, and you must provide age-rating identification and an age-restriction mechanism. So hosting mini apps is allowed, within a tightly defined sandbox.
What you should know
- Mini apps are allowed: HTML5 and JS mini apps, mini games, chatbots, plug-ins.
- WebKit and JavaScriptCore only: no extending or exposing native APIs.
- You are responsible: all hosted software must comply with the rules and laws.
- Free or in-app purchase: no other payment for the mini software.
- Age controls required: identify mature content and restrict by age.
What does Guideline 4.7 allow?
Hosting third-party software that does not ship inside your app's binary. The guideline explicitly permits HTML5 and JavaScript mini apps and mini games, streaming games, chatbots, and plug-ins, and it lets retro game console and PC emulator apps offer to download games. This is what makes super-apps and mini-program platforms possible on the App Store, where a single host app offers many small experiences from different creators. The key is that this content lives in a constrained environment rather than as native code you reviewed and bundled, which is why Apple wraps it in conditions: the freedom to host comes with responsibility for what you host and limits on what that hosted code can do.
What are the 4.7 requirements?
A set of conditions in 4.7.1 through 4.7.5. The table summarizes the main ones.
| Requirement | What it means |
|---|---|
| WebKit and JavaScriptCore only | Mini software runs in a web view; no native API access |
| Runs natively in Safari | It must work without modifications or extra software |
| Free or in-app purchase | No alternative payment for the hosted software |
| Developer Program membership | Offered by developers who signed the agreement |
| No real-money gaming | No gambling, lotteries, or charitable donations |
| Age controls | Identify content exceeding the rating and restrict by age |
The technical heart is the WebKit and JavaScriptCore restriction: hosted mini apps must use only what a standard web view provides and must not extend or be given access to native platform APIs. That sandbox is what keeps third-party code from reaching capabilities it was never reviewed for.
How do you comply if you host mini apps?
Build the host so the sandbox and the responsibilities are real. Run all mini apps through WebKit and JavaScriptCore, and do not build a bridge that exposes native platform APIs to that third-party code, since that is the line 4.7 draws. Ensure the hosted software is free or transacts only through in-app purchase, and that it comes from developers in the Apple Developer Program. Implement an age-rating system so users can identify mini apps that exceed your app's rating, plus an age-restriction mechanism based on verified or declared age. And because you are responsible for everything you host, put moderation and compliance checks in place so a mini app cannot introduce content or behavior that breaks the guidelines or the law. The host carries the accountability for the platform.
What to watch out for
The first trap is exposing native APIs to mini apps through a JavaScript bridge, which violates the WebKit-only constraint and also widens your attack surface. The second is assuming responsibility for hosted content sits with its creators, when 4.7 puts it on you as the host. The third is missing the age-rating and age-restriction requirements, which are mandatory, not optional. A pre-submission scan such as PTKD.com (https://ptkd.com) reads the compiled IPA against OWASP MASVS and surfaces your WebView configuration and any native bridge exposed to web content, which helps you confirm hosted mini apps are confined to WebKit and JavaScriptCore rather than reaching native capabilities. The compliance and moderation work happens in your platform design.
What to take away
- Guideline 4.7 lets apps host HTML5 and JavaScript mini apps, mini games, chatbots, and plug-ins, under the conditions in 4.7.1 through 4.7.5.
- Hosted software must run only in WebKit and JavaScriptCore without accessing native APIs, be free or use in-app purchase, and avoid real-money gaming.
- You are responsible for all software you host, and you must provide age-rating identification and an age-restriction mechanism.
- Keep mini apps confined to a web view with no native bridge, and use a pre-submission scan such as PTKD.com to confirm your WebView does not expose native capabilities.




