All posts
GuideJul 8, 2026 · 10 min

App Store Rejections Decoded: Guidelines 4.3, 2.5.2, 3.1.1, 4.2 and 5.1.1

The five App Store Review Guidelines that reject the most apps — 4.3, 2.5.2, 3.1.1, 4.2, 5.1.1 — with what triggers each, how to fix it, and how to appeal.

RA

The Argus Team

Reply Argus

Most App Store rejections cluster into a handful of guidelines, and five of them come up again and again: 4.3 (spam), 2.5.2 (downloading executable code), 3.1.1 (in-app purchase), 4.2 (minimum functionality), and 5.1.1 (data and privacy). Each is a different kind of 'no.' 4.3 says your app is too similar to others; 4.2 says it's too thin to be an app at all; 3.1.1 is about how you take money; 2.5.2 is about code that changes your app after review; 5.1.1 is about what you do with a user's data. Get the wrong mental model and you'll fix the wrong thing and get rejected again.

Apple sends a short, near-generic message in Resolution Center with a guideline number and not much else, so the first job is always to translate that number into 'what does this reviewer actually want me to change?' This guide does that for the five you're most likely to hit: what each really says, the patterns that trigger it, how to fix it before you resubmit, and, at the end, how to appeal when the reviewer got it wrong.

The guidelines shift between revisions

Apple rewords and renumbers the App Store Review Guidelines regularly, and some rules (especially 3.1.1's external-payment language) differ by country and are being actively litigated. Treat the numbers below as a way to reason about your rejection, and always confirm the exact current wording against Apple's live Guidelines page before you resubmit or appeal.

Guideline 4.3 — Spam (your app looks like everyone else's)

A 4.3 rejection means App Review considers your app a duplicate, a reskinned template, or a me-too entry in a category that's already crowded. It splits into two halves. 4.3(a) covers duplicate and copycat apps: multiple Bundle IDs for the same thing, or an app built from a boilerplate that thousands of others also shipped. 4.3(b) covers a technically original app that lands in a saturated category (yet another flashlight, soundboard, or wallpaper pack) without a distinctly better experience.

The reframe that saves you: 4.3 is a *concept* verdict, not a code bug. Nothing in your build is broken, so patching a crash and resubmitting the same idea gets rejected again. What has to change is how distinct the app reads versus the crowd the reviewer is comparing you against — a real native differentiator, consolidated duplicates, honest metadata. It's a deep enough topic that we gave it its own walkthrough, with a full appeal template, in [Guideline 4.3 rejections, explained](/blog/app-store-review-guideline-4-3-rejections).

Guideline 2.5.2 — Downloading code that changes your app

2.5.2 lives in the Software Requirements section, and the short version is: an app must be self-contained in its bundle and may not download, install, or execute code that introduces or changes features or functionality after review. Apple can't vet what it can't see, so a build that pulls down a payload and rewrites its own behavior defeats the entire review process. This is the guideline that ended the era of 'hot-code-push' frameworks that let apps ship native changes without a new App Store submission.

What trips it in practice:

  • Hot-code-push / dynamic native updates — a framework that fetches and runs native code to change features between releases, bypassing App Review entirely.
  • Remote config that changes functionality, not just content — flipping on whole new features or flows from a server the reviewer never saw. Toggling copy, prices, or content is generally fine; unlocking new capabilities is not.
  • An app that's a container for other apps — a shell that downloads and launches arbitrary mini-apps or executables it didn't ship with.
  • Interpreted code that changes the app's primary purpose — Apple allows scripts run in a WebKit/JavaScriptCore context, but only when they don't provide functionality inconsistent with the app's intended, reviewed use.

The fix is almost always the same: ship functional changes through a normal App Store update, not a runtime download. Keep remote config to genuine content and configuration, the stuff you'd change without shipping a binary anyway, not a switch for features the reviewer couldn't evaluate. If you use a cross-platform framework, confirm its update mechanism ships pre-reviewed bundles rather than pushing new native code.

Guideline 3.1.1 — In-App Purchase and how you take money

3.1.1 governs payments for digital goods and services. The core rule: if you unlock features, content, subscriptions, or currency that are consumed *inside* the app, you must use Apple's In-App Purchase, not Stripe, not PayPal, not your own checkout. Physical goods and real-world services are the opposite: those must NOT use IAP and should take payment another way. Mixing them up is a classic rejection in both directions: a food-delivery app forced through IAP, or a premium subscription sold with an outside processor.

The part that changes by country is *steering*: Apple historically barred apps from linking to or even mentioning cheaper purchase options outside the app. As of 2026 that's no longer uniform. A US court injunction and the EU's Digital Markets Act have forced Apple to permit external purchase links in some regions, often under a specific entitlement, and the details are still being litigated. Don't assume the old anti-steering rule, and don't assume the new freedom either; check the current entitlement for the countries you ship to.

  • Unlocking digital content with a non-Apple processor — the most common 3.1.1(a) hit; in-app digital purchases have to run through IAP unless a current entitlement says otherwise.
  • Steering users off-platform without the entitlement — buttons, links, or copy pointing to an external website to pay, in a region or context where that isn't permitted.
  • Using IAP for physical goods — buying a real product or a real-world service shouldn't go through IAP at all.
  • 'Free' apps that gate everything behind a manual, non-IAP paywall — reviewers read this as circumventing the store's commerce rules.

The fix is matching the payment method to what's being sold: IAP for in-app digital value, standard payment (Apple Pay or a card processor) for physical goods, and if you want to link out for a digital purchase, only through the entitlement Apple currently offers for your market.

Guideline 4.2 — Minimum functionality (too thin to be an app)

4.2 says your app should include features, content, and UI that elevate it beyond a repackaged website. If it isn't useful, unique, or meaningfully 'app-like,' it doesn't belong on the store. This is the rejection for thin wrappers: a WebView that just loads your mobile site, an app that's really a marketing brochure, a demo or beta, or something that does so little it feels like a placeholder.

Here's the distinction that saves people a wasted resubmission, because 4.2 and 4.3 both love to flag a WebView wrapper: 4.2 is 'too thin to be an app,' 4.3 is 'too similar to other apps.' A WebView shell can trip both — it's thin *and* it's a shape App Review has seen a thousand times. The fix is the same starting point regardless: add real native functionality. Offline capability, push done well, native device features a browser can't fake, content or data that's genuinely yours. If you can't name in one sentence what your app does that its own website can't, you haven't cleared 4.2 yet.

This is literally just their website in an app. Why does this need to exist? Deleting.

Reply

Fair hit — the first build was thin, and we heard it. 2.0 (live now) adds offline access, native notifications for order updates, and a widget, so it does things the site can't. If it still feels redundant after you try it, tell us what you'd want it to do and we'll build toward it.

That's not a review from App Review, of course. It's the kind a real user leaves the week after a thin app squeaks through. Notice the fix is identical for both: give the thing a reason to be an app. The reviewer and the one-star are asking the same question.

Guideline 5.1.1 — Data collection, permissions, and account deletion

5.1.1 is the privacy rejection, and it has more sub-parts than any other on this list. You need a working privacy policy link, you must request permission with a *specific* purpose string (not a generic one), you can only ask for data that's relevant to what the app does, and you can't force a user to hand over personal information or create an account to use features that don't require it. A flashlight app that demands your location and a login will get 5.1.1'd fast.

The one that catches established apps is account deletion: if your app lets users create an account, it must let them initiate deleting that account from inside the app, not just deactivate, and not 'email us to delete.' It's been enforced since 2022 and still rejects apps that only built a sign-up flow. Purpose strings are the other trap. A prompt that says '[App] needs access' with no reason reads as a placeholder. Say what you'll do with it:

xml
<!-- Rejected: no real reason given -->
<key>NSCameraUsageDescription</key>
<string>This app needs camera access.</string>

<!-- Accepted: names the exact feature and use -->
<key>NSCameraUsageDescription</key>
<string>Scan receipts to attach them to an
  expense. Photos are stored only on your
  device unless you choose to sync them.</string>
Info.plist purpose strings — the vague one draws a 5.1.1 rejection; the specific one clears it.
  • Vague or missing purpose strings — every permission (camera, location, contacts, mic, photos, tracking) needs a string that names the feature and the reason.
  • Requiring sign-in or personal data to browse — gate an account behind features that actually need one, not behind the whole app.
  • No in-app account deletion — if users can register, they must be able to delete the account (and its data) from within the app.
  • Missing or dead privacy policy URL — required in App Store Connect metadata and often inside the app too.
  • Over-collection — asking for data with no clear relevance to the app's function.

One rejection message, five different fixes

Before you change a single line, match the guideline number to the right category above. 4.3 → make the concept distinct. 4.2 → add native functionality. 2.5.2 → stop downloading code that changes features. 3.1.1 → match the payment method to what you're selling. 5.1.1 → specific purpose strings, minimal data, and in-app account deletion. Fixing the wrong axis is the fastest way to a second rejection.

How do you appeal an App Store rejection?

Sometimes the reviewer pattern-matched too fast and the rejection is genuinely wrong. You have two escalation paths, and the order matters.

  1. 1

    Step 1 — Reply in Resolution Center

    In App Store Connect, respond directly to the reviewer in the Resolution Center. Ask a specific clarifying question or point to exactly what they missed. Many honest misreads get resolved right here without a formal appeal.

  2. 2

    Step 2 — Bring new information, not just insistence

    Appeals that flip carry new substance — a differentiator the reviewer overlooked, proof an app isn't a duplicate, a corrected purpose string. Restating 'my app is fine' with nothing new almost never reverses a decision.

  3. 3

    Step 3 — Escalate to the App Review Board

    If Resolution Center stalls, formally appeal to the App Review Board, a separate team that re-examines the decision. Keep the message calm, specific, and short; list what's distinct and what you changed.

  4. 4

    Step 4 — Or just fix and resubmit

    If you honestly earned the rejection, an appeal won't save it — a fix will. A corrected build often clears faster than a contested appeal, and it goes back through standard review.

Be honest about which situation you're in. A reskinned template or a WebView with nothing native behind it won't clear through persistence, and grinding the same rejected concept against the queue can escalate. When you do have a real case, the [full 4.3 appeal template](/blog/app-store-review-guideline-4-3-rejections) adapts cleanly to any guideline — swap the differentiator section for whatever the reviewer cited. If your resubmission is just sitting untouched, that's a different problem, covered in [why your app is stuck in review](/blog/app-store-stuck-in-review) and [how long App Store review takes](/blog/how-long-does-app-store-review-take).

After you clear review, the reviews start

Getting past these five guidelines earns you a place on the shelf, not a rating. That's the next fight, and it begins the day your first users arrive. The cheapest lever on your rating after launch isn't another submission; it's answering the reviews you get. When Google shipped recency-weighted ratings at I/O 2019, it reported that developers who respond to reviews see an average lift of 0.7 stars. Apple publishes no equivalent figure, but the mechanism holds on both stores: a calm, specific reply to an early one-star reassures the next hundred people deciding whether to tap Get.

Doing that once is a pleasant afternoon. Doing it for every review across the App Store and Google Play, in each reviewer's own language, without the queue lapsing during launch week, is the part that quietly eats a founder's time. That's the moment [ReplyArgus](/features) is built for: it watches both stores in one inbox and drafts an on-brand reply for each review, grounded in your past approved replies and your store listing, already sized for each store's limits. You approve in a click, or opt in to auto-publish clean 5-star replies so nothing stalls while you're heads-down on the next build. It won't get you past App Review; that's your app's job. But the day after you're approved, it's the review desk you don't have to staff. For a playbook on the hard ones, start with [how to respond to negative app reviews](/blog/how-to-respond-to-negative-app-reviews).

Frequently asked

What are the most common App Store rejection guidelines?
Five come up repeatedly: 4.3 (spam — duplicate or me-too apps), 2.5.2 (downloading executable code that changes the app after review), 3.1.1 (in-app purchase and payment rules), 4.2 (minimum functionality — thin apps and website wrappers), and 5.1.1 (data collection, permission purpose strings, and account deletion). Each requires a different fix, so start by translating the guideline number into which of those categories you actually hit.
What's the difference between Guideline 4.2 and 4.3?
4.2 is 'too thin to be an app' — a repackaged website or a build with too little functionality to justify existing. 4.3 is 'too similar to other apps' — a duplicate, reskinned template, or me-too entry in a saturated category. A bare WebView wrapper can trip both at once. The 4.2 fix is adding real native functionality; the 4.3 fix is making the concept genuinely distinct.
Why did my app get rejected under Guideline 3.1.1?
3.1.1 usually means a payment mismatch: selling in-app digital goods or subscriptions through a non-Apple processor instead of In-App Purchase, using IAP for physical goods (which shouldn't use it), or steering users to an outside website to pay where that isn't permitted. Steering rules now vary by country after recent court and DMA changes, so confirm the current entitlement for the markets you ship to.
Does Guideline 5.1.1 require in-app account deletion?
Yes. If your app supports account creation, 5.1.1 requires you to let users initiate deletion of that account (and its data) from within the app. A 'contact us to delete' flow or a deactivate-only option isn't enough. This has been enforced since 2022 and is a common rejection for apps that built a sign-up flow but no deletion path.
How do I appeal an App Store rejection?
First reply in the Resolution Center in App Store Connect — many honest misreads resolve there. If it stalls, escalate to the App Review Board, a separate team that re-examines the decision. Appeals succeed when they carry new information the reviewer missed, not when they simply restate that the app is fine. If you genuinely earned the rejection, fixing and resubmitting is usually faster than contesting it.
Will a rejection get my developer account banned?
A single rejection is not a ban. You can fix and resubmit. But Apple warns that abusing the process, such as repeatedly submitting spam or duplicate apps, can put your Apple Developer Program membership at risk. Change the concept or fix the build rather than grinding the same rejected binary against the review queue.

So a guideline number in Resolution Center isn't a verdict on your effort — it's a coordinate. Find which of the five walls you hit, fix that specific axis, and resubmit with a two-sentence note pointing at exactly what changed. Appeal when you have new information, fix and move on when you don't. Clear it, and the shelf is yours — and the reviews that follow are a fight you can win one reply at a time. [Start free with ReplyArgus](/signup), no card required, and the day after you're approved, Argus drafts your first reply in minutes, in the reviewer's own language.

Try it

Let Argus draft your next reply.

Watch it answer a real review in your voice. 10-day trial, no card to begin.

See the features or pricing.

Keep reading