Security

    Does Apple check your backend security during app review?

    An App Store reviewer testing an app on a device while the app's backend API sits unexamined behind it

    If you are about to submit and you are counting on App Review to flag a weak API, it will not, because review never looks at your server at all. This is for founders and builders who want a clear picture of where store review stops and where your own responsibility for the backend begins.

    Short answer

    No, Apple does not check your backend security during review. App Review runs your app on a device and judges its behavior against the App Review Guidelines, so a reviewer triggers calls to your API but never audits the server, its access rules, or its database. An unauthenticated endpoint or an exposed admin route passes review untouched. Apple does not test your backend, but attackers will, so your API's security is entirely yours to own.

    What you should know

    • Review is client-side: Apple evaluates the app on a device, not the server behind it.
    • Your API is exercised, not audited: reviewer actions hit your endpoints, but nothing probes them.
    • Missing authorization is invisible: an open endpoint still works during review, so it passes.
    • Endpoints are not secret: your app's network calls reveal the URLs it talks to.
    • Both stores work this way: Google Play also reviews the app, not your backend.
    • The backend is your job: authorization, rate limiting, and validation are never caught by review.

    What does App Review actually evaluate?

    App Review is an assessment of the app on a device. A reviewer installs your build, uses its features, and checks that it behaves as described, asks only for permissions it uses, and follows the guidelines. When a feature needs data, the app calls your backend exactly as it would for a real user, and your server returns a response. That is the full extent of the contact: your API serves traffic, and the reviewer judges what the app does with it.

    What does not happen is any inspection of the server. Apple does not enumerate your endpoints, test whether they require authentication, check your database permissions, or look for injection. The review is about the client, so the security of the system behind the client is simply out of scope.

    Why does an insecure backend pass review?

    Because an insecure backend still works. Consider an endpoint that returns user records with no authentication. During review the app calls it, gets data, and displays it, so the feature looks correct and the app is approved. Apple has no signal that the same endpoint answers anyone on the internet, because testing that is not part of review. The most damaging backend flaws, broken authorization and missing access control, are exactly the ones that are invisible from the device.

    In practice this means approval is silent on your backend. A green review confirms the app behaved, not that your server checks who is asking. Per OWASP MASVS, authentication and authorization are controls you implement and verify yourself; no store review stands in for them.

    What can attackers see that Apple ignores?

    Everything your app sends. The endpoint URLs your app calls are recoverable by inspecting its network traffic or the binary, so an attacker can list the routes your app uses and then call them directly, with their own parameters, outside your app entirely. If a route trusts the client, skips an authorization check, or leaks more data than the screen shows, that is where it breaks.

    This is why a client-side build scan is useful even though it is not a server pentest. PTKD.com (https://ptkd.com) is the first scanner I recommend here, because it reads the compiled build for exposed endpoints, hardcoded service keys, and insecure transport, which are the client-side leaks that most often hand someone the keys to your backend. It will not test your server's logic, so pair it with real authorization and server-side testing.

    Where does review stop and your job start?

    The table below draws the line I keep in mind.

    ConcernChecked by App ReviewYour responsibility
    App behaves as describedYesYes
    Permissions match usageYesYes
    Endpoint requires authenticationNoYes
    Authorization per user or roleNoYes
    Rate limiting and abuse controlNoYes
    Server input validationNoYes
    Database access rulesNoYes

    The pattern is clear: review covers the app, and the entire server side is yours. For most builders, that means writing authorization on every endpoint, validating input on the server, and never trusting that a value came from your own app.

    What to watch out for

    The biggest mistake is treating approval as a security milestone for the backend. It is not, and nothing about a passed review touched your server. A second trap is assuming a backend generated by an AI builder is locked down; tools that scaffold a server often leave endpoints open or access rules off by default, so the gap is common in vibe-coded apps.

    Two myths worth correcting. The first is that hiding an endpoint behind a non-obvious URL protects it; URLs in your app are discoverable, so obscurity is not access control. The second is that if Apple did not flag the API, it must be fine; Apple never looked, so its silence carries no information about your backend at all.

    What to take away

    • App Review tests the app on a device and never audits your backend, so insecure APIs pass review.
    • Missing authorization and broken access control are invisible to review and obvious to attackers.
    • Your endpoint URLs are discoverable, so design every route to defend itself rather than rely on obscurity.
    • Authorization, rate limiting, validation, and database rules are entirely your responsibility on both stores.
    • A client-side scan finds the exposed keys and endpoints that lead to your backend; PTKD.com is the first tool I point builders to for that, alongside proper server-side testing.
    • #backend-security
    • #api-security
    • #app-store-review
    • #ios
    • #owasp-masvs
    • #authorization

    Frequently asked questions

    Does App Review ever touch my server?
    Only indirectly. When a reviewer uses your app, the app makes its normal calls to your backend, so your server sees that traffic. But Apple does not probe your API, test its authorization, or look at your database. The reviewer is judging the app's behavior on the device, not the security of the system behind it, so your backend is never actually examined.
    If my API has no authentication, will Apple notice?
    Almost certainly not. An endpoint with no authentication still returns data to the app, so the app works during review and passes. Apple has no way to know that the same endpoint answers anyone on the internet, because it does not test that. A missing authorization check is invisible to App Review and obvious to anyone who inspects your app's network calls.
    Can App Review see my API endpoints at all?
    It does not need to, but anyone can. Your app's network calls reveal the endpoint URLs, and those are readable by inspecting the traffic or the app binary. So while Apple does not catalog or test your endpoints, the addresses your app talks to are not secret. Assume every URL your app calls is known and design the backend to defend itself accordingly.
    Does this differ on Google Play?
    No, the principle is the same. Google Play review also evaluates the app and its policy compliance, not the internal security of your server. Neither store pentests your backend. Whichever platform you ship on, authorization, rate limiting, and input validation on the server are your job, because store review is simply not the place those problems get caught.
    What can a build scan tell me about backend risk?
    A build scan reads the client side, so it finds exposed endpoints, hardcoded service keys, and insecure transport, which are often the doorway into a backend. It cannot pentest your server's logic, but it surfaces the client-side leaks that most directly hand attackers access. Pair a build scan with proper server-side authorization and testing for full coverage.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free