App‑store sweep finds code holes

A new class of artificial intelligence coding apps is colliding with Apple’s App Store rules, and security researchers say many of the apps they help create are easy to break into. (cnet.com) These apps let people build software by typing plain-English prompts instead of writing code by hand. Apple has blocked updates for Replit and Vibecode and removed the app Anything after citing Guideline 2.5.2, which says apps may not download, install, or execute code that changes features after review. (cnet.com) (macrumors.com) (9to5mac.com) Apple’s own review guidelines say the App Store is meant to be a curated store where every app is reviewed for safety, security, and privacy before users download it. That model breaks down if an approved app can generate and run new code later, inside the app, without Apple seeing that code first. (developer.apple.com) (cnet.com) The timing is tied to a flood of new submissions. Appfigures said developers sent 557,000 new apps to Apple’s store in 2025, up 24 percent from 2024, and multiple reports said submissions then jumped another 84 percent in a single quarter as vibe-coding tools spread. (appfigures.com) (winbuzzer.com) (thenextweb.com) Developers told Business Insider and other outlets that March review waits stretched from the usual one to two days to as long as 7 to 30 days in some cases. Apple disputed the idea of a broad slowdown, saying 90 percent of submissions were still reviewed within 48 hours and the average review time over the prior 12 weeks was 1.5 days. (winbuzzer.com) (mashable.com) The security problem is separate from Apple’s policy fight, but it points in the same direction. A December 2025 test of 15 apps built with five popular artificial intelligence coding tools found 69 vulnerabilities, including six rated critical, with missing protections like cross-site request forgery defenses and security headers across the sample. (tools.pinusx.com) Researchers have also found real-world examples of damage. In February, The Register reported that a Lovable-hosted app exposed data from 18,697 users after a researcher found 16 vulnerabilities, six of them critical, including broken access controls that let unauthenticated users reach records they should not have seen. (theregister.com) Apple is not banning artificial intelligence from software development altogether. The company’s rules and recent enforcement focus on where the code runs and whether an approved iPhone app can change its own behavior after review, while Apple is also adding artificial intelligence coding features to Xcode, its own developer tool. (developer.apple.com) (winbuzzer.com) (theverge.com) That leaves developers with a narrower path: use artificial intelligence to help write software, but ship fixed code that Apple can inspect, or move the experience to the web instead of the App Store. Apple’s rules already say that if the App Store is not the right fit for an app idea, “there is always the open Internet.” (developer.apple.com)