AI wrapper scrutiny — AI-powered apps with minimal native value may face rejection

ab-000462 · app-store-policy-compliance.risk-indicators.ai-wrapper-scrutiny

Severity: infoactive

Why it matters

Apple issued explicit guidance in 2023–2024 that apps must provide lasting value beyond a thin AI API wrapper. An app consisting of a text input, an LLM API call, and a text output display — with no system prompt specialization, no caching, no offline capability, and no native device integration — is functionally equivalent to accessing the underlying model through a web browser. Both stores are actively scrutinizing AI apps under this lens. NIST AI RMF MAP-1.5 classifies thin-wrapper deployment as a governance gap because the developer has minimal insight into or control over the AI's behavior relative to the app's stated purpose.

Severity rationale

Informational because a thin wrapper is not an automatic rejection trigger, but it places the app under heightened review scrutiny and amplifies the impact of any other borderline finding — especially content moderation gaps in the AI pipeline.

Remediation

Add at least one of the following to distinguish the app from a web-equivalent AI interface before submission:

Offline response caching: Store recent AI responses in SQLite or AsyncStorage so the app is useful without a network connection
Native device integration: Feed camera input, voice, calendar events, or HealthKit data into the AI prompt to provide context a web interface cannot
Personalized memory: Persist user preferences, prior session context, or domain-specific settings that shape AI behavior over time
Structured multi-step workflow: Replace the open-ended chat interface with a guided flow that breaks a complex task into discrete native steps

// src/config/ai.ts — minimal domain specialization
const SYSTEM_PROMPT = `You are a [specific domain] expert assistant.
Context: The user is [specific persona/use case].
Scope: Answer only questions about [narrow domain]. Decline off-topic requests.`;

Domain-specific system prompts are table stakes — a generic GPT wrapper with no prompt engineering provides no value a user cannot get from ChatGPT.com directly.

Detection

ID: ai-wrapper-scrutiny
Severity: info
What to look for: Count all relevant instances and enumerate each. If AI integration is detected, assess whether the app's primary value is thin API wrapping around a foundation model with no significant native functionality added: (1) Does the app consist primarily of a text input, an AI API call, and a text output display? (2) Is there any caching, offline capability, personalization, structured workflow, or domain-specific prompting that adds value beyond the raw API? (3) Does the app use a generic GPT/Claude/Gemini API call with no system prompt specialization, or does it have a thoughtfully crafted domain-specific prompt? (4) Are there any native device integrations (camera, voice, health, calendar) that justify the app being native rather than a website? Apple has issued guidance (2023-2024) that apps must provide lasting value beyond a thin AI API wrapper. Both stores scrutinize AI-powered apps more heavily. This is informational — a thin wrapper is not an automatic rejection but significantly increases review scrutiny. Skip this check if the app has substantial native functionality beyond the AI integration.
Pass criteria: App has substantial native functionality beyond the AI integration (native device integrations, significant offline capability, complex structured workflow, meaningful personalization). At least 1 implementation must be verified. Or the AI integration is a secondary feature, not the entire app. Result is pass or skip only — never fail.
Fail criteria: Not applicable — this is an informational check. Result is pass or skip only.
Skip (N/A) when: No AI or LLM integration detected. Or the app clearly has substantial native value that is not dependent on AI (AI is a secondary feature).
Detail on fail: Not applicable — result is pass or skip only.
Remediation: If the app's primary value is AI-powered, add at least one of: offline caching of responses, personalized memory of user preferences, native device integration (camera input, voice, calendar access), a structured multi-step workflow, or a community layer (shared AI results, collaborative features). These additions make the app clearly native rather than a web-equivalent.

Review the configuration in src/ or app/ directory for implementation patterns.

External references

external · apple-generative-ai-2024 — App Store Review Guidelines — Generative AI (2024 additions)
owasp-llm:2025 · LLM02 — Insecure Output Handling
nist-ai-rmf:1.0 · MAP-1.5 — NIST AI RMF — Organisational risk management for AI wrapper value chain

Taxons

regulatory-conformance

History

2026-04-18·v1.0.0·Initial import from app-store-policy-compliance·automated

Why it matters

Remediation

Add at least one of the following to distinguish the app from a web-equivalent AI interface before submission:

Offline response caching: Store recent AI responses in SQLite or AsyncStorage so the app is useful without a network connection
Native device integration: Feed camera input, voice, calendar events, or HealthKit data into the AI prompt to provide context a web interface cannot
Personalized memory: Persist user preferences, prior session context, or domain-specific settings that shape AI behavior over time
Structured multi-step workflow: Replace the open-ended chat interface with a guided flow that breaks a complex task into discrete native steps

// src/config/ai.ts — minimal domain specialization
const SYSTEM_PROMPT = `You are a [specific domain] expert assistant.
Context: The user is [specific persona/use case].
Scope: Answer only questions about [narrow domain]. Decline off-topic requests.`;

Domain-specific system prompts are table stakes — a generic GPT wrapper with no prompt engineering provides no value a user cannot get from ChatGPT.com directly.

Detection

ID: ai-wrapper-scrutiny
Severity: info
What to look for: Count all relevant instances and enumerate each. If AI integration is detected, assess whether the app's primary value is thin API wrapping around a foundation model with no significant native functionality added: (1) Does the app consist primarily of a text input, an AI API call, and a text output display? (2) Is there any caching, offline capability, personalization, structured workflow, or domain-specific prompting that adds value beyond the raw API? (3) Does the app use a generic GPT/Claude/Gemini API call with no system prompt specialization, or does it have a thoughtfully crafted domain-specific prompt? (4) Are there any native device integrations (camera, voice, health, calendar) that justify the app being native rather than a website? Apple has issued guidance (2023-2024) that apps must provide lasting value beyond a thin AI API wrapper. Both stores scrutinize AI-powered apps more heavily. This is informational — a thin wrapper is not an automatic rejection but significantly increases review scrutiny. Skip this check if the app has substantial native functionality beyond the AI integration.
Pass criteria: App has substantial native functionality beyond the AI integration (native device integrations, significant offline capability, complex structured workflow, meaningful personalization). At least 1 implementation must be verified. Or the AI integration is a secondary feature, not the entire app. Result is pass or skip only — never fail.
Fail criteria: Not applicable — this is an informational check. Result is pass or skip only.
Skip (N/A) when: No AI or LLM integration detected. Or the app clearly has substantial native value that is not dependent on AI (AI is a secondary feature).
Detail on fail: Not applicable — result is pass or skip only.
Remediation: If the app's primary value is AI-powered, add at least one of: offline caching of responses, personalized memory of user preferences, native device integration (camera input, voice, calendar access), a structured multi-step workflow, or a community layer (shared AI results, collaborative features). These additions make the app clearly native rather than a web-equivalent.

Review the configuration in src/ or app/ directory for implementation patterns.