Thousands of apps on the App Store might be living on borrowed time. In November 2025, Apple closed a significant loophole in guideline 4.7 that some developers had been exploiting to bypass standard app review processes. What was once a gray area is now black and white: HTML5 and JavaScript mini apps and mini games now fall under full App Store oversight. If you're hosting mini apps in your platform, the rules just changed dramatically—and the clock is ticking on compliance.
What Changed
Apple has removed all ambiguity around dynamically loaded content. Previously, developers argued that lightweight HTML5 experiences were essentially web content and exempt from full app review. That interpretation is now eliminated. The update impacts three critical areas:
1. Mini Apps Must Follow All Guidelines
Every mini app or mini game, regardless of how it's built or delivered, must comply with the same guidelines as native applications. This includes requirements for content, privacy, payments, performance, and legal compliance. You cannot treat HTML5 experiences as simple web content that escapes review standards.
2. Native API Exposure Requires Permission
Guideline 4.7.2 now explicitly prohibits apps from extending or exposing native platform APIs to non-embedded software without prior Apple approval. This means you cannot create bridges, wrappers, or custom frameworks that give HTML5 or JavaScript content access to iOS native capabilities like camera access, push notifications, file system operations, contacts, location services, or other native features. Apps must use WebKit and JavaScript Core exclusively, limiting mini apps to the same web capabilities available in Safari.
3. Age Rating and Content Restrictions Mandatory
Guideline 4.7.5 requires apps hosting mini apps to provide ways for users to identify content exceeding the app's age rating and implement age restriction mechanisms based on verified or declared age to prevent underage access to inappropriate content.
Who Is Affected
Several categories of applications are impacted:
- Super apps that host multiple mini apps or services within a single container (like WeChat and Alipay models)
- Gaming platforms offering HTML5 or JavaScript-based casual games that load dynamically
- Productivity platforms allowing third-party developers to build tools using web technologies
- Content aggregators hosting HTML5-based interactive experiences or educational content
- Browser-based app builders and "vibecoding" tools that let users create lightweight JavaScript experiences
Technical Requirements in Detail
WebKit and JavaScript Core Only
You must use standard WebKit framework and JavaScript Core to run third-party software. Custom JavaScript engines (V8, Hermes), alternative rendering engines, or modified WebKit versions are prohibited. You cannot create native wrappers that intercept web API calls or implement custom protocols giving HTML5 content access beyond Safari's capabilities.
No Native API Exposure Without Permission
The prohibition is absolute unless you receive explicit Apple approval. You cannot create JavaScript bridges exposing iOS frameworks, implement plugins giving mini apps access to device features, build wrapper APIs translating between web and native calls, or use WKWebView message handlers to create custom API surfaces. Standard web APIs in Safari define the boundary—anything beyond requires Apple's permission.
Content Manifest Required
Guideline 4.7.4 requires providing an index of all software and metadata in your app, including a complete list of mini apps, metadata (title, description, developer info, age rating), universal links for direct access, version information, and content categories. Apple uses this manifest during review to verify compliance.
Privacy Compliance
Each mini app must disclose data collection practices and obtain explicit user consent. Mini apps cannot share data or privacy permissions without consent in each instance. If sharing data with third-party services including AI, you must obtain explicit permission per guideline 5.1.2(i). Users need clear disclosure and control mechanisms.
Age Rating Systems
Your app must provide ways to identify mini apps exceeding your app's age rating, implement age restriction mechanisms, and prevent underage access. Implementation approaches include collecting and verifying age during registration, rating each mini app with age classification, implementing age gates blocking inappropriate content, and providing parental controls.
Getting Permission for Native APIs
If your core functionality requires exposing native APIs, you must request explicit Apple permission before implementation.
Conclusion
Apple's November 2025 update makes clear that HTML5 and JavaScript mini apps face full App Store guidelines, cannot expose native platform APIs without permission, and must implement age rating systems.
Top comments (1)
Use standard WebKit framework and JavaScript Core to run third-party software. Custom JavaScript engines (V8, Hermes), alternative rendering engines, or modified WebKit versions are prohibited.