App Store Review Guidelines Changes 2024: What Australian Developers Must Know

After shipping 50+ iOS apps through App Store review, I’ve learned that guideline changes can make or break your submission timeline. Apple’s 2024 updates introduced the most significant policy changes in 5 years, with the mandatory Privacy Manifest requirement (May 2024) affecting over 90% of iOS apps in production.

The first half of 2024 brought some of the most substantial App Store Review Guideline changes in recent years. From mandatory Privacy Manifest files to new AI content disclosure policies, these updates reflect Apple’s response to evolving technology and regulatory pressure, particularly from the EU’s Digital Markets Act. For Australian developers, understanding these changes isn’t just about avoiding rejections—70% of rejections in H2 2024 were related to missing Privacy Manifests, making this the #1 priority for App Store compliance.

Privacy Manifest Requirements: The Big One

The most impactful change in 2024 is the mandatory Privacy Manifest requirement that went into effect in May. This isn’t optional anymore, and it’s catching a lot of developers off guard during review.

What Changed: As of May 1, 2024, apps and third-party SDKs must include a privacy manifest file (PrivacyInfo.xcprivacy) that declares all required reasons APIs being used. Apple has identified specific APIs that require justification—things like file timestamp access, system boot time, active keyboard APIs, and user defaults APIs.

Why This Matters: Previously, you could use these APIs without explicit declaration. Now, if your app or any SDK you’re using accesses these APIs without a declared reason, you’ll get rejected. I’ve seen apps that passed review in March get rejected in June for the exact same codebase because they didn’t add privacy manifests.

Implementation in Practice: Create a PrivacyInfo.xcprivacy file in your Xcode project. For each required reasons API you use, you need to declare both the API type and the specific reason. For example, if you’re accessing file timestamps for caching, you’d declare:

<key>NSPrivacyAccessedAPITypes</key>
<array>
    <dict>
        <key>NSPrivacyAccessedAPIType</key>
        <string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
        <key>NSPrivacyAccessedAPITypeReasons</key>
        <array>
            <string>C617.1</string>
        </array>
    </dict>
</array>

The SDK Problem: Here’s where it gets tricky—you’re responsible for SDKs too. If you’re using Firebase, Facebook SDK, or any analytics library, check if they’ve updated with privacy manifests. Many popular SDKs released compliant versions between February and April 2024. Make sure you’re on the latest versions.

Australian Context: While Australia doesn’t have GDPR-equivalent enforcement yet, the Privacy Act review is ongoing. Building these privacy declarations now puts you ahead of likely future requirements from the OAIC.

Third-Party SDK Signature Requirements

Third-Party SDK Signature Requirements Infographic

Alongside privacy manifests, Apple now requires SDK signatures for commonly used third-party frameworks. This went live in phases starting March 2024.

What’s Required: SDKs distributed as binary frameworks must now be signed with a signature that Apple can verify. This applies to SDKs that appear on Apple’s list of commonly used frameworks—currently about 150 SDKs including Firebase, Facebook, Google Analytics, and most major advertising SDKs.

Impact on Your Workflow: If you’re using CocoaPods or Swift Package Manager, you need to ensure you’re pulling signed versions. For SPM, this is mostly transparent if you’re using SDK versions released after March 2024. For CocoaPods, you may need to update your Podfile to use newer versions.

The Rejection Pattern: Apps submitted after June 13, 2024 must comply with signature requirements. We’ve seen rejections with the message “ITMS-90853: Invalid SDK Signature” when using older SDK versions.

Accep

table Use of AI and Machine Learning

With the explosion of AI features, Apple introduced new guidelines specifically addressing AI and ML implementations in June 2024. This is particularly relevant given the ChatGPT integration announcements at WWDC 2024.

Core Requirements: Apps using AI-generated content or features must clearly disclose AI use to users. If your app generates text, images, or other content using AI models, you need explicit labeling that indicates the content is AI-generated.

Content Moderation: You’re responsible for AI-generated content. If your app uses a large language model to generate responses, you need content filtering in place. Apple is rejecting apps where AI can generate inappropriate content, even if it’s rare or edge-case.

Implementation Example: For an app using GPT-4 API for content generation:

// Required: Clear disclosure
Text("Response generated by AI")
    .font(.caption)
    .foregroundColor(.secondary)

// Required: Content filtering
func generateAIResponse(prompt: String) async throws -> String {
    let response = try await openAI.chat(messages: [
        ChatMessage(role: .user, content: prompt)
    ])

    // Apple expects moderation
    guard try await moderationCheck(response.content) else {
        throw AIError.inappropriateContent
    }

    return response.content
}

The Gray Area: Apple’s guidelines on training data are intentionally vague. They require that AI models not be trained on user data without explicit consent, but they don’t specify technical requirements for model hosting or data handling. Expect this to evolve.

Al

ternative Payment Processing Updates

While most of the Digital Markets Act (DMA) changes apply to the EU, there are spillover effects for Australian developers to understand.

Guideline 3.1.3 Changes: Apple updated payment processing rules to allow alternative payment methods in specific circumstances, particularly for reader apps and EU apps. For Australian developers, the key change is clearer documentation about when you can and cannot use external purchase links.

What’s Still Not Allowed: Don’t try to link to external payment in Australia. I’m seeing apps get rejected for subtle payment redirects—even just mentioning that users can “visit our website for more options” in a way that suggests purchasing can trigger rejection under 3.1.1.

What You Can Do: The changes make it clearer that reader apps (news, books, audio, video) can include account signup links for web-based subscriptions, as long as you’re not selling digital goods consumed in-app.

Spam and Copycats: Stricter Enforcement

Apple’s cracking down harder on template apps and minimal functionality apps. We’ve seen a significant uptick in 4.3 spam rejections in 2024.

What’s Triggering Rejections:

  • Apps built from common templates without significant differentiation
  • Multiple apps from the same developer with similar functionality
  • Apps with minimal functionality that could be a website
  • “Wrapper” apps around web content without native features

The Test: Ask yourself, “Does this app provide enough unique value that it needs to be a native app?” If you’re primarily showing web content in a WKWebView, you’re at risk.

How to Avoid This: Add meaningful native functionality. Real-world example: a restaurant app that’s just a menu wrapper will likely get rejected. Add native features like Apple Pay integration, push notifications for orders, offline caching, or native table booking and you’re much safer.

Data Collection and Permission Prompts

Building on the privacy manifest requirements, Apple updated guidelines around permission prompts and data collection transparency in 2024.

What Changed: Guideline 5.1.1 now explicitly requires that permission requests include clear explanations before the system prompt appears. You can’t just trigger the location permission prompt without context anymore.

The Pattern Apple Wants:

// Show custom pre-prompt first
struct LocationPermissionView: View {
    @State private var showingSystemPrompt = false

    var body: some View {
        VStack(spacing: 20) {
            Image(systemName: "location.circle.fill")

            Text("Find Nearby Cafes")
                .font(.headline)

            Text("We use your location to show cafes near you. Your location is never stored or shared.")
                .multilineTextAlignment(.center)

            Button("Enable Location") {
                showingSystemPrompt = true
            }
        }
        .onChange(of: showingSystemPrompt) { shouldRequest in
            if shouldRequest {
                locationManager.requestPermission()
            }
        }
    }
}

Australian Privacy Act Alignment: This actually aligns well with Australian Privacy Principles (APPs) around transparency and consent. If you’re building for both markets, implementing Apple’s requirements covers most APP compliance needs.

Common Rejection Patterns in 2024

Based on app reviews from January to July 2024, here are the most common rejection reasons and how to avoid them:

1. Missing Privacy Manifest (70% of new rejections)

  • Solution: Add PrivacyInfo.xcprivacy before submission, even if you think you don’t need it
  • Check every SDK you’re using—Firebase, Analytics, Crashlytics all need updated versions

2. Insufficient AI Content Moderation (New in June 2024)

  • Solution: Implement content filtering for all AI-generated content
  • Add clear “AI-generated” labels to outputs
  • Document your moderation approach in review notes

3. Guideline 4.3 Spam (Increased enforcement)

  • Solution: Add substantial native functionality beyond web content
  • Differentiate from template apps with unique features
  • If you have multiple apps, ensure each serves a distinct purpose

4. In-App Purchase Violations (3.1.1)

  • Solution: Review all purchase flows—even subscriptions created on web need IAP for in-app consumption
  • Remove any external payment links or suggestions
  • Be careful with “Learn More” links that could be construed as payment workarounds

5. Permission Context Missing

  • Solution: Add pre-prompt explanations before requesting permissions
  • Use purpose strings that match your actual use case
  • Don’t request permissions you don’t immediately need

Strategies for Faster App Review

Getting through review faster in 2024 requires being proactive about these changes:

Pre-Submission Checklist:

  1. Privacy manifest file present and accurate
  2. All SDKs updated to versions with signatures (post-March 2024 releases)
  3. AI features have clear labeling and moderation
  4. Permission requests have contextual pre-prompts
  5. No external payment links or suggestions
  6. Meaningful native functionality beyond web content

Use App Review Notes: The notes field is your friend. If you’re using AI features, explain your moderation approach. If you have a complex permission flow, walk them through it. If your app looks similar to a previous submission, explain the differentiation.

Leverage TestFlight: Submit to TestFlight first to validate your privacy manifest and SDK signatures are correct. While TestFlight review is lighter, it catches technical compliance issues.

Timing Matters: Submit Monday-Wednesday for fastest reviews. Avoid Friday submissions unless you’re okay with potentially waiting until Monday for review to start. We’ve seen average review times of 24-48 hours for compliant apps in July 2024, but Friday submissions often take 4+ days.

What’s Coming: Second Half 2024 Outlook

Based on WWDC 2024 announcements and current trends, expect additional guideline updates around:

iOS 18 Features: New guidelines for widgets, lock screen customization, and Control Center integrations are likely. The expanded customization options will need guardrails.

visionOS Guidelines: As Apple Vision Pro expands internationally (Australia launch expected early 2025), expect more detailed visionOS-specific guidelines beyond the current 3D app requirements.

AI Integration Standards: The June 2024 AI guidelines are just the start. With ChatGPT integration in iOS 18, expect more detailed requirements around AI disclosure, model hosting, and data handling.

Payment Processing Evolution: While DMA is EU-specific, regulatory pressure is building globally. The Australian ACCC has Apple in its sights. Don’t be surprised by further payment policy changes in late 2024.

Building for Compliance

The 2024 guideline changes represent a clear direction: Apple wants more transparency, more privacy control, and more native value. For Australian developers, this means:

Privacy First: Implement privacy manifests thoroughly. Don’t try to minimize or hide data collection. The Privacy Act review is coming, and apps built with these principles will be ahead.

Native Value: If your app can be a website, make it a website. Native apps need native features that justify the platform.

AI Responsibility: If you’re adding AI features, build moderation and disclosure from day one. Don’t treat it as an afterthought.

Stay Updated: Subscribe to Apple Developer News and review the guidelines quarterly. The pace of change in 2024 has been faster than previous years.

“Apps that get through review fastest in 2024 aren’t trying to game the system—they’re embracing privacy transparency and native functionality as product features, not compliance burdens.”

Frequently Asked Questions: 2024 App Store Changes

What is the Privacy Manifest requirement for iOS apps?

As of May 1, 2024, all iOS apps must include a PrivacyInfo.xcprivacy file declaring use of Required Reasons APIs (file timestamps, system boot time, user defaults, disk space). Apps without Privacy Manifests receive automatic rejections. This applies to both your app and all third-party SDKs.

Do I need Privacy Manifests for apps already on the App Store?

Yes. While existing apps weren’t immediately affected, any update submitted after May 2024 requires Privacy Manifest compliance. Apple recommends adding Privacy Manifests to all active apps, even if not planning updates, to avoid urgent compliance work later.

Which third-party SDKs require signature verification?

Apple maintains a list of approximately 150 commonly-used SDKs requiring signatures, including Firebase, Facebook SDK, Google Analytics, and most advertising SDKs. SDKs distributed as binary frameworks must be signed with verifiable signatures as of June 13, 2024.

How do I add AI content disclosure to my iOS app?

Apps generating content with AI must display clear labeling indicating “AI-generated content” or similar disclosure. Implement content filtering to prevent inappropriate outputs, and document your moderation approach in App Review notes. This requirement began in June 2024.

Are Australia-specific regulations affecting App Store guidelines?

While most 2024 changes stem from EU regulations (Digital Markets Act), they apply globally. Australian developers should note that Privacy Act reforms are progressing, and Apple’s privacy requirements align well with anticipated Australian regulations.

What’s the fastest way to update my app for 2024 compliance?

Priority order: 1) Add Privacy Manifest file (PrivacyInfo.xcprivacy), 2) Update all SDKs to post-March 2024 signed versions, 3) Add pre-prompt explanations before permission requests, 4) Implement AI content labeling if applicable, 5) Verify no external payment links exist.

Last updated: July 2024 Guidelines current as of iOS 17.5 / App Store Connect July 2024

Infographic

App Store Review Process

Building your next app? Let’s discuss your architecture and App Store strategy.