Apple Pushes Back on Vibe Coding Apps Over Guideline 2.5.2 — and the Category Has to Split Around It
Apple just confirmed what the vibe-coding ecosystem has been dreading for weeks: the App Store crackdown on apps that download and execute new code dynamically is real, it's systematic, and it has a specific rule behind it. Guideline 2.5.2 — the requirement that apps be self-contained and not deliver reviewed code inside their own container — is now the wall that Replit, Vibecode, and Anything have run into. The CNET reporting, citing The Information's original coverage, makes the distinction Apple wants to draw clear: this is not a war on vibe-coding apps as a category. It is enforcement of a rule that says the runtime for generated code cannot live inside the app itself.
The practical effect looks like a category split. Apps that function as prompt collectors and handoff engines — where the actual code generation happens on a server or in a browser, not inside the app's container — appear to be getting through. Lovable's mobile app, which launched with previews running in a web browser rather than inside the Lovable container, is the evidence. Apps that tried to be a prompt collector and a code executor in one package, with the runtime living inside the App Store-reviewed container, are getting blocked or pulled. That distinction matters enormously for how the vibe-coding industry will need to restructure its mobile products going forward. The category has to split into a front-end (prompting, review, iteration) and a back-end (code generation and execution), with the handoff happening through an external browser or server layer rather than in-process.
Apple's framing is predictably focused on user safety. The company says it is protecting users from unreviewed software delivered dynamically — code that gets generated after the App Store review happens, changes the app's behavior after review, or introduces features the review team never saw. That is a legitimate concern on its own terms. App Store review is Apple's quality and safety signal. If an app can download new capabilities after review, the review is functionally meaningless for those capabilities. The user who downloaded a reviewed app and then got a different app after the review is not getting what they consented to. Apple's position is internally consistent even if it is inconvenient for the vibe-coding category.
The complication is that Apple's review process is also its commission collection mechanism. When an app delivers value through in-app purchases, subscriptions, or transactions, Apple takes a cut — typically 15 to 30 percent depending on developer status and revenue tier. A vibe-coding app that generates a functional web app and hands it off to a browser is, from Apple's financial perspective, potentially bypassing the in-app payment infrastructure that justifies the commission. The business-model overlap with the policy justification is not subtle. Apple can simultaneously be enforcing Guideline 2.5.2 for legitimate security reasons and for business-model reasons, and the two reinforce each other in a way that makes it impossible to disentangle which is driving the enforcement. This is not a new pattern in platform policy. It is the same dynamic that has played out every time a new category of software challenged the economics of an existing platform store.
For developers caught in the enforcement wave, the review delays are the most immediately painful symptom. The historical baseline for App Store review was 24 to 48 hours for most submissions. The new reality is 7 to 30 days, which is functionally a launch freeze for teams that depend on rapid iteration cycles. Anything was pulled entirely in late March. Replit and Vibecode updates are blocked. These are not minor players with no recourse — Replit alone did $240 million in revenue in 2025 and has a substantial enterprise user base. Vibecode is a meaningful player in the no-code-to-code translation space. When apps at that scale are getting caught in the enforcement net, it signals that the rule has teeth and the exemptions are not being handed out to any app that asks.
The developer community reaction has been predictably divided along familiar lines. One camp sees Apple's enforcement as reasonable gatekeeping: the App Store is a curated marketplace, not a code execution playground, and dynamic code delivery without review is a legitimate red line even if it is inconvenient. The other camp sees it as a platform using policy to protect its commission stream from a category of apps that found a way to deliver meaningful value without routing transactions through Apple's payment infrastructure. Both interpretations are probably simultaneously true, which is the nature of platform policy enforcement at this scale. The people enforcing the rule benefit from the rule being enforced, regardless of their stated motivations.
What the entire episode reveals is that vibe coding emerged outside the architecture assumptions that existing app stores were built around. The App Store was designed for developers who ship pre-built binaries — code that is written, reviewed, and delivered as a fixed artifact. Vibe coding assumes a different model: developers, or their AI agents, generate code continuously and users interact with the output in real time. Those two models do not fit comfortably inside the same review framework without either changing the review model or changing the generation model. Apple has chosen the latter. The question now is whether the vibe-coding industry can build compliant mobile products that don't feel like they are held together with rubber bands and prayer.
The path Lovable took — keep the app as a prompt and review surface, push execution to an external browser — is probably the template the rest of the category will follow, at least for iOS. It is not a clean solution. It introduces friction at exactly the moment when the user experience should be seamless. But it is a solution that Apple has accepted, which means it is a solution that can ship. In platform economics, that trumps elegance every time.
Sources: CNET, The Information