App store reviews

If you're planning to release an app in the Apple App Store or Google Play Store, you'll need to complete Apple or Google's app review process.

If you offer Passwords as an authentication method, the authentication-related step of the app review process should be fairly straightforward – you'll simply need to provide the app store reviewers with an email address and password combination that will log them into a test account. If you're using our B2B product suite, the test account should belong to a test Organization that you create for this purpose. You'll be able to share the test email address and password when filling out your app details during the review process.

Passwordless authentication

It's also possible to pass app store reviews while offering exclusively passwordless authentication methods.

Email-based authentication

For email-based authentication methods, this can generally be accomplished by leaving a note to the app store reviewer describing how they can use their own email address to log in. The exact wording will depend on the specific authentication products that you offer in your application.

Image showing app review submission form that has been filled out

Note that if you offer any OAuth login methods (like Google OAuth or Facebook OAuth, for example) in your iOS application, in most cases you must also offer a login method that allows users to keep their email address private (like Apple OAuth) in order to comply with Apple's guidelines (with certain exceptions).

Phone number-based authentication

For phone number-based authentication methods, reviewers are sometimes willing to use their own phone numbers in order to authenticate as well. However, if your application is rejected because the reviewer was not willing to use their own phone number, we generally recommend the following strategy as a backup:

Set up a programmable SMS inbox via a service like Twilio or Mailosaur.
Forward OTP codes sent to the programmable inbox to a Google Sheet (or other similar shareable resource). Twilio provides a helpful resource demonstrating how to set this up.
Include a link to the Google Sheet in your app store review notes, along with the phone number that corresponds to the programmable inbox. That way, app store reviewers can enter the phone number in your app and retrieve the OTP code through the Google Sheet.

If any of the above strategies are not accepted by your reviewer, please reach out to us at support@stytch.com, and we'll be happy to recommend some alternative strategies for your unique auth setup.

Device Fingerprinting

We've designed our Device Fingerprinting (DFP) product to comply with Apple and Google's guidelines. However, if you're using our DFP product, you should ensure that your privacy policy accurately reflects the data collected from the end user and corresponding device(s) before completing your app store reviews.

We have seen instances where our customers' privacy policies submitted as part of these review processes do not account for information collected and reported as necessary for the Stytch Device Fingerprinting solution to function, which has resulted in delayed approvals. As such, with consultation from your legal and engineering teams, we suggest reviewing and updating your privacy policy to clearly articulate to your end users (and app store reviewers) the types of information collected, methods for doing so, and how that information is used.

We have found success with app store submissions with privacy policies that include the below sample disclosure. However, this should not be taken as strict advice that you must follow with regards to updating your privacy policy but only as a suggestion for content to include.

We and our partners may automatically process information related to you, your computer or device, your interaction with our Services, our communications and other online services.

Data collected may include but not limited to: device data, such as your device's type, operating system type and version, settings, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, IP address, language settings, mobile device carrier, general location information such as city/state/geographic area, and other unique identifiers.

We may use the following tools for automatic data collection:

Cookies, which are text files that websites store on a visitor's device to uniquely identify the visitor's browser or to store information or settings in the browser for the purpose of helping you navigate between pages efficiently, remembering your preferences, enabling functionality, helping us understand user activity and patterns, and facilitating online advertising.
Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data, including on your device outside of your browser in connection with specific applications.
Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.

If you need any additional assistance preparing for app store reviews while using our DFP product, please reach out to support@stytch.com.