Self-Promotion
Show off what you're working on
Start new thread
Pontifex

Compliance in Vibe coded Apps.

by

I analyzed hundreds of App Store rejections. The vibe coding era has made the problem dramatically worse.

I want to share something that's been genuinely painful to watch as someone who's spent months deep in App Store compliance data and as someone who has had past issues with compliance for vibe coded projects.

Vibe coding has changed everything about how fast you can build. Lovable hit $100M ARR in 8 months. Replit scaled from $2.8M to $150M ARR in under a year. 25% of Y Combinator's Winter 2025 cohort had codebases that were 95% AI-generated. The tools are incredible and the speed is real.

But the rejection rate hasn't changed. It's actually gotten worse.

50% of apps are rejected on first submission. 40% of all apps get rejected at least once.

That number existed before vibe coding. It exists now. And it's about to get a lot uglier as the stores get flooded with AI-generated apps that were built in a weekend by people who've never read a guideline in their lives. I know, because I'm building something for exactly that person and I've been that person.

What's actually causing rejections (the patterns nobody talks about)

Most rejection content online is vague. "Make sure your app follows guidelines." Yeah cool, thanks, who would've thought of that…

Here's what actually gets apps rejected at disproportionate rates, based on everything I’ve collected:

1. Privacy strings that don't match implementation

Your app requests camera permission. Your privacy policy says you don't collect media. Apple's review team runs the app, sees the permission prompt, checks the policy, and rejects. This sounds obvious until you realize that AI-generated code often requests permissions "just in case" — and most vibe coders don't audit what their AI actually scaffolded.

2. Authentication flows that trigger guideline 4.1

Sign in with Apple is mandatory if your app offers any third-party login (Google, Facebook, etc.). It's been mandatory since 2020. You'd be amazed how many apps — especially ones built with vibe coding tools in the last 18 months — are still getting rejected for this because the AI didn't include it and the developer didn't know to ask.

3. Subscription billing that bypasses Apple's IAP

If you're offering a subscription, you cannot route around Apple's in-app purchase system for iOS users. This includes linking to a web checkout, mentioning your website's pricing, or showing a "better deal available at [yoursite].com." The review team flags this with real consistency. Yet nearly 50% of AI-generated code fails relevant security and compliance benchmarks — and IAP handling is one of the most frequent failure points.

4. Content rating mismatches

You rated your app 4+. Your app has a user-generated content section with no moderation system. Instant rejection. AI builders frequently forget that content rating isn't about your content — it's about your users' potential content.

5. Incomplete metadata

This one sounds embarrassing but it's genuinely common: screenshots that don't match current functionality, demo account credentials missing from the review notes, features described in the app description that don't exist in the build. Reviewers are humans. They'll reject if they can't figure out how your app works.

The vibe coding blind spot

Here's the uncomfortable thing: vibe coding tools are extraordinary at building. They are not built to care about what happens after you submit.

92% of US developers now use AI coding tools daily. 41% of all code is AI-generated. These tools optimize for shipping fast — and they should. But "ship fast" and "stay compliant" have been treated as opposites when they don't have to be.

The review cycle for a single rejection is typically 1–3 weeks. If you get two rejections, you're looking at up to 6 weeks of delay. For a bootstrapped founder, 6 weeks of delay before you can acquire your first user is potentially the difference between making it and not.

Every day in review is revenue left on the table.

What I built to battle this.

After going through this pain myself (two rejections on my first app, both for issues I could have caught in 20 minutes with the right tool), I started building Pontifex.

The short version: you upload your code, and Pontifex scans it against a real-time, RAG-powered database of App Store and Google Play policies before you submit. It generates a compliance report, flags the specific issues, and produces the review notes that stores actually require — based on your real implementation, not a template.

It also watches for policy updates and tells you when a change affects your specific app. Not a newsletter. A targeted alert: "Your current authentication flow now triggers a violation — here's how to fix it."

We're in early access right now. Not launching publicly yet.

Why I'm posting this

Partly to share what I've learned. Mostly because I want to talk to people who've hit this wall.

If you've had an app rejected, especially a vibe-coded one,  I'd genuinely love to hear what happened. What reason did you get? How long did it delay you? Did you figure it out yourself or did you have to go digging through forums for hours?

And if you're currently building something and haven't submitted yet: what's your current plan for compliance checking before you hit submit? I'm curious whether people have a process here or if it's mostly vibes all the way down.

Happy to answer anything about the rejection patterns we've seen, the compliance edge cases, or what I'm building. AMA in the comments.

Or if you would like to join our waitlist, the link is in my here and in my bio: waitlister.me/p/pontifex?timestamp=1779276871836

3 views

Add a comment

Replies

Be the first to comment