Age gate present for restricted content

ab-000486 · app-store-privacy-data.children-sensitive.age-gate-restricted-content

Severity: mediumactive

Why it matters

Age gates that present a 'Are you 21? Yes/No' dialog are trivially bypassed by any child with a tap. Platform policies reject these as inadequate verification: Apple requires that alcohol, gambling, and adult content apps have a 17+ rating AND demonstrate real age verification. COPPA §312.5 and CCPA §1798.120(c) require that data collection from minors be gated on verifiable parental consent — a client-side yes/no check satisfies neither. A gambling feature with a 12+ rating and no age gate will be rejected by Apple and may trigger Play Store removal.

Severity rationale

Medium because a trivially bypassable age gate does not protect minors from restricted content and fails platform review, but exploitation requires a child to actively use the app.

Remediation

Replace yes/no age confirmation dialogs with a birth-year entry validated server-side. Store the verified age server-side and gate all restricted content requests against the stored value — client-side checks alone are not sufficient:

// API route: verify-age.ts
const { birthYear } = req.body;
const age = new Date().getFullYear() - birthYear;
if (age < 21) return res.status(403).json({ error: 'Age restriction' });
await db.users.update({ where: { id: userId }, data: { ageVerified: true } });

For gambling apps, implement geographic restrictions in addition to age verification — block jurisdictions where gambling is illegal at the API layer, not just the UI layer. Set the rating to 17+ for any app with gambling or alcohol purchasing features.

Detection

ID: age-gate-restricted-content
Severity: medium
What to look for: Count all relevant instances and enumerate each. Look for age-restricted content in the app: alcohol purchases or content, cannabis/CBD products, gambling, adult content, tobacco, weapons, or other restricted categories. If any restricted category content is detected, look for an age gate implementation: a date-of-birth picker or birth year input before accessing restricted content; a server-side verification of the declared age; a restriction that persists beyond a session (stored server-side, not just a localStorage flag). Common weak patterns: modal asking "Are you 21?" with Yes/No buttons (trivially bypassed, rejected by platforms); client-side only age check (bypassed by disabling JS or manipulating state); age gate on the app launch but not on individual restricted content items. For alcohol apps on iOS, Apple requires a "17+" rating AND explicit age verification. For gambling apps, Apple requires "17+" rating AND geographic restriction enforcement. Check if the app has minAge or similar field in user profiles stored server-side.
Pass criteria: Restricted content is gated behind a non-trivial age verification mechanism that is at least partially server-side enforced. At least 1 implementation must be verified. The gate cannot be trivially bypassed by tapping "Yes" in a modal.
Fail criteria: Restricted content present with no age gate; age gate is trivially bypassable (Yes/No modal); age gate is client-side only; app contains alcohol/gambling content without the appropriate age rating.
Skip (N/A) when: App has no restricted content (no alcohol, gambling, adult content, cannabis, tobacco, or weapons).
Detail on fail: "App sells alcohol but age gate is a simple 'Are you 21?' modal with Yes/No buttons — trivially bypassed and will not satisfy store requirements" or "Gambling feature detected with no age gate and app rated 12+ — gambling content requires 17+ rating and age verification"
Remediation: Platform policies require real age verification for restricted content, not just a confirmation dialog.
1. Implement birth-year entry with server-side validation, not a simple yes/no dialog
2. Store the verified age server-side and gate all restricted content requests against it
3. For alcohol apps, display "Drink responsibly" messaging and set the rating to 17+
4. For gambling apps, implement geographic restrictions (block jurisdictions where gambling is illegal) in addition to age verification
Review the configuration in src/ or app/ directory for implementation patterns.

External references

cwe · CWE-284 — Improper Access Control
ccpa · §1798.120(c) — Minors under 16 require opt-in consent for sale of personal information
coppa · §312.5 — Parental consent required for data collection from children under 13
owasp:2021 · A01 — Broken Access Control

Taxons

privacy-consent regulatory-conformance

History

2026-04-18·v1.0.0·Initial import from app-store-privacy-data·automated

Why it matters

Remediation

// API route: verify-age.ts
const { birthYear } = req.body;
const age = new Date().getFullYear() - birthYear;
if (age < 21) return res.status(403).json({ error: 'Age restriction' });
await db.users.update({ where: { id: userId }, data: { ageVerified: true } });

Detection

ID: age-gate-restricted-content
Severity: medium
What to look for: Count all relevant instances and enumerate each. Look for age-restricted content in the app: alcohol purchases or content, cannabis/CBD products, gambling, adult content, tobacco, weapons, or other restricted categories. If any restricted category content is detected, look for an age gate implementation: a date-of-birth picker or birth year input before accessing restricted content; a server-side verification of the declared age; a restriction that persists beyond a session (stored server-side, not just a localStorage flag). Common weak patterns: modal asking "Are you 21?" with Yes/No buttons (trivially bypassed, rejected by platforms); client-side only age check (bypassed by disabling JS or manipulating state); age gate on the app launch but not on individual restricted content items. For alcohol apps on iOS, Apple requires a "17+" rating AND explicit age verification. For gambling apps, Apple requires "17+" rating AND geographic restriction enforcement. Check if the app has minAge or similar field in user profiles stored server-side.
Pass criteria: Restricted content is gated behind a non-trivial age verification mechanism that is at least partially server-side enforced. At least 1 implementation must be verified. The gate cannot be trivially bypassed by tapping "Yes" in a modal.
Fail criteria: Restricted content present with no age gate; age gate is trivially bypassable (Yes/No modal); age gate is client-side only; app contains alcohol/gambling content without the appropriate age rating.
Skip (N/A) when: App has no restricted content (no alcohol, gambling, adult content, cannabis, tobacco, or weapons).
Detail on fail: "App sells alcohol but age gate is a simple 'Are you 21?' modal with Yes/No buttons — trivially bypassed and will not satisfy store requirements" or "Gambling feature detected with no age gate and app rated 12+ — gambling content requires 17+ rating and age verification"
Remediation: Platform policies require real age verification for restricted content, not just a confirmation dialog.
1. Implement birth-year entry with server-side validation, not a simple yes/no dialog
2. Store the verified age server-side and gate all restricted content requests against it
3. For alcohol apps, display "Drink responsibly" messaging and set the rating to 17+
4. For gambling apps, implement geographic restrictions (block jurisdictions where gambling is illegal) in addition to age verification
Review the configuration in src/ or app/ directory for implementation patterns.