App store reviews

If you're planning to release an app in the Apple App Store or Google Play Store, you'll need to complete Apple or Google's app review process.

If you offer Passwords as an authentication method, the authentication-related step of the app review process should be fairly straightforward – you'll simply need to provide the app store reviewers with an email address and password combination that will log them into a test account. If you're using our B2B product suite, the test account should belong to a test Organization that you create for this purpose. You'll be able to share the test email address and password when filling out your app details during the review process.

It's also possible to pass app store reviews while offering exclusively passwordless authentication methods.

For email-based authentication methods, this can generally be accomplished by leaving a note to the app store reviewer describing how they can use their own email address to log in. The exact wording will depend on the specific authentication products that you offer in your application.

Note that if you offer any OAuth login methods (like Google OAuth or Facebook OAuth, for example) in your iOS application, in most cases you must also offer a login method that allows users to keep their email address private (like Apple OAuth) in order to comply with Apple's guidelines (with certain exceptions).

For phone number-based authentication methods, reviewers are sometimes willing to use their own phone numbers in order to authenticate as well. However, if your application is rejected because the reviewer was not willing to use their own phone number, we generally recommend the following strategy as a backup:

1. Set up a programmable SMS inbox via a service like Twilio or Mailosaur.
2. Forward OTP codes sent to the programmable inbox to a Google Sheet (or other similar shareable resource). Twilio provides a helpful resource demonstrating how to set this up.
3. Include a link to the Google Sheet in your app store review notes, along with the phone number that corresponds to the programmable inbox. That way, app store reviewers can enter the phone number in your app and retrieve the OTP code through the Google Sheet.

If any of the above strategies are not accepted by your reviewer, please reach out to us at support@stytch.com, and we'll be happy to recommend some alternative strategies for your unique auth setup.

We've designed our Device Fingerprinting (DFP) product to comply with Apple and Google's guidelines. However, if you're using our DFP product, you should ensure that your privacy policy accurately reflects the data collected from the end user and corresponding device(s) before completing your app store reviews.

We have seen instances where our customers' privacy policies submitted as part of these review processes do not account for information collected and reported as necessary for the Stytch Device Fingerprinting solution to function, which has resulted in delayed approvals. As such, with consultation from your legal and engineering teams, we suggest reviewing and updating your privacy policy to clearly articulate to your end users (and app store reviewers) the types of information collected, methods for doing so, and how that information is used.

We have found success with app store submissions with privacy policies that include the below sample disclosure. However, this should not be taken as strict advice that you must follow with regards to updating your privacy policy but only as a suggestion for content to include.

If you need any additional assistance preparing for app store reviews while using our DFP product, please reach out to support@stytch.com.