App Store

    Guideline 4.7: HTML5 games and mini-apps explained

    A 2026 view of a super-app hosting HTML5 mini games under Guideline 4.7, with the mini apps confined to a WebKit and JavaScriptCore sandbox and no native API bridge

    Guideline 4.7 is the rule that lets an app host content it did not ship in its binary, HTML5 mini games, mini apps, chatbots, plug-ins, and it comes with strict conditions. If you are building a super-app or a platform that runs third-party mini apps, 4.7 is the guideline that governs you, and the central technical requirement is that this software runs only in WebKit and JavaScriptCore, with no access to native APIs. You are also responsible for everything those mini apps do. Here is what 4.7 allows and the conditions you must meet.

    Short answer

    Guideline 4.7 allows apps to offer software not embedded in the binary, specifically HTML5 and JavaScript mini apps and mini games, streaming games, chatbots, and plug-ins, subject to conditions in 4.7.1 through 4.7.5. Per Apple's software guideline, the software must use only capabilities available in a standard WebKit view and JavaScriptCore, without extending or exposing native platform APIs; must be free or use in-app purchase; and must not provide real-money gaming, lotteries, or charitable donations. You are responsible for ensuring all such software complies with the guidelines and applicable laws, and you must provide age-rating identification and an age-restriction mechanism. So hosting mini apps is allowed, within a tightly defined sandbox.

    What you should know

    • Mini apps are allowed: HTML5 and JS mini apps, mini games, chatbots, plug-ins.
    • WebKit and JavaScriptCore only: no extending or exposing native APIs.
    • You are responsible: all hosted software must comply with the rules and laws.
    • Free or in-app purchase: no other payment for the mini software.
    • Age controls required: identify mature content and restrict by age.

    What does Guideline 4.7 allow?

    Hosting third-party software that does not ship inside your app's binary. The guideline explicitly permits HTML5 and JavaScript mini apps and mini games, streaming games, chatbots, and plug-ins, and it lets retro game console and PC emulator apps offer to download games. This is what makes super-apps and mini-program platforms possible on the App Store, where a single host app offers many small experiences from different creators. The key is that this content lives in a constrained environment rather than as native code you reviewed and bundled, which is why Apple wraps it in conditions: the freedom to host comes with responsibility for what you host and limits on what that hosted code can do.

    What are the 4.7 requirements?

    A set of conditions in 4.7.1 through 4.7.5. The table summarizes the main ones.

    RequirementWhat it means
    WebKit and JavaScriptCore onlyMini software runs in a web view; no native API access
    Runs natively in SafariIt must work without modifications or extra software
    Free or in-app purchaseNo alternative payment for the hosted software
    Developer Program membershipOffered by developers who signed the agreement
    No real-money gamingNo gambling, lotteries, or charitable donations
    Age controlsIdentify content exceeding the rating and restrict by age

    The technical heart is the WebKit and JavaScriptCore restriction: hosted mini apps must use only what a standard web view provides and must not extend or be given access to native platform APIs. That sandbox is what keeps third-party code from reaching capabilities it was never reviewed for.

    How do you comply if you host mini apps?

    Build the host so the sandbox and the responsibilities are real. Run all mini apps through WebKit and JavaScriptCore, and do not build a bridge that exposes native platform APIs to that third-party code, since that is the line 4.7 draws. Ensure the hosted software is free or transacts only through in-app purchase, and that it comes from developers in the Apple Developer Program. Implement an age-rating system so users can identify mini apps that exceed your app's rating, plus an age-restriction mechanism based on verified or declared age. And because you are responsible for everything you host, put moderation and compliance checks in place so a mini app cannot introduce content or behavior that breaks the guidelines or the law. The host carries the accountability for the platform.

    What to watch out for

    The first trap is exposing native APIs to mini apps through a JavaScript bridge, which violates the WebKit-only constraint and also widens your attack surface. The second is assuming responsibility for hosted content sits with its creators, when 4.7 puts it on you as the host. The third is missing the age-rating and age-restriction requirements, which are mandatory, not optional. A pre-submission scan such as PTKD.com (https://ptkd.com) reads the compiled IPA against OWASP MASVS and surfaces your WebView configuration and any native bridge exposed to web content, which helps you confirm hosted mini apps are confined to WebKit and JavaScriptCore rather than reaching native capabilities. The compliance and moderation work happens in your platform design.

    What to take away

    • Guideline 4.7 lets apps host HTML5 and JavaScript mini apps, mini games, chatbots, and plug-ins, under the conditions in 4.7.1 through 4.7.5.
    • Hosted software must run only in WebKit and JavaScriptCore without accessing native APIs, be free or use in-app purchase, and avoid real-money gaming.
    • You are responsible for all software you host, and you must provide age-rating identification and an age-restriction mechanism.
    • Keep mini apps confined to a web view with no native bridge, and use a pre-submission scan such as PTKD.com to confirm your WebView does not expose native capabilities.
    • #guideline-4-7
    • #mini-apps
    • #html5-games
    • #webkit
    • #super-app
    • #javascriptcore
    • #ios

    Frequently asked questions

    What does Guideline 4.7 allow?
    It allows apps to host third-party software that is not embedded in the binary: HTML5 and JavaScript mini apps and mini games, streaming games, chatbots, and plug-ins, plus retro console and PC emulators offering downloadable games. This is what makes super-apps and mini-program platforms possible on the App Store. The content lives in a constrained environment rather than as native code you bundled, which is why Apple attaches strict conditions to it under 4.7.1 through 4.7.5.
    What are the main 4.7 requirements?
    Hosted mini software must use only WebKit and JavaScriptCore without extending or accessing native platform APIs, run natively in Safari without modifications, be free or use in-app purchase, and come from developers in the Apple Developer Program. It must not provide real-money gaming, lotteries, or charitable donations. You are responsible for ensuring all hosted software complies with the guidelines and laws, and you must provide age-rating identification and an age-restriction mechanism.
    Can mini apps access native iOS features?
    No. The central technical condition of Guideline 4.7 is that hosted mini apps run only in a standard WebKit view with JavaScriptCore and must not extend or be given access to native platform APIs. So you cannot build a JavaScript bridge that exposes native capabilities to third-party mini apps. That sandbox is what keeps hosted code, which Apple did not review natively, from reaching capabilities it was never evaluated for.
    Who is responsible for hosted mini apps?
    You are, as the host. Guideline 4.7 makes you responsible for ensuring all software you offer complies with the guidelines and all applicable laws, even though creators wrote the mini apps. So you need moderation and compliance checks so a mini app cannot introduce content or behavior that breaks the rules, plus the required age controls. The accountability for the platform sits with the host app, not only with the individual mini-app creators.
    How do I confirm mini apps stay in the WebKit sandbox?
    Scan the host build. A pre-submission scan such as PTKD.com reads the compiled IPA against OWASP MASVS and surfaces your WebView configuration and any native bridge exposed to web content, which helps you confirm hosted mini apps are confined to WebKit and JavaScriptCore rather than reaching native capabilities. That addresses both the 4.7 requirement and the security risk of exposing native APIs to third-party code you did not write.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free