[cyral]

I wouldn't be so sure. Ionic has a commercial product, AppFlow, which is their "update over http" solution. It allows for running arbitrary code without app approval, and they claim it is compliant. AirBNB and I'm sure plenty of other companies use "server driven UI" which is similar to this. Almost every app will also use feature flags in some way. Or could even just check if the account is "appreview@apple.com" and show different content, theres not a good way to prevent it.

[nybble41]

> Or could even just check if the account is "appreview@apple.com" and show different content, theres not a good way to prevent it.

One would hope they'd do their app testing with regular user accounts designed to blend in and not anything tied directly to Apple. Likewise for other well-known forms of obfuscation like changing behavior based on the system date so that it appears fine until the review period is over—though the app could simply refuse to work when the date doesn't match the server, if there is a server component, and that wouldn't be particularly suspicious.

The main deterrent to trying any of that, of course, is that it will get not just the offending app but the entire developer account banned. Those accounts aren't free. Moreover, uploading an identical or even substantially similar app under another account would be recognized immediately, so you'd have to start over from scratch.