Age gates that present a 'Are you 21? Yes/No' dialog are trivially bypassed by any child with a tap. Platform policies reject these as inadequate verification: Apple requires that alcohol, gambling, and adult content apps have a 17+ rating AND demonstrate real age verification. COPPA §312.5 and CCPA §1798.120(c) require that data collection from minors be gated on verifiable parental consent — a client-side yes/no check satisfies neither. A gambling feature with a 12+ rating and no age gate will be rejected by Apple and may trigger Play Store removal.
Medium because a trivially bypassable age gate does not protect minors from restricted content and fails platform review, but exploitation requires a child to actively use the app.
Replace yes/no age confirmation dialogs with a birth-year entry validated server-side. Store the verified age server-side and gate all restricted content requests against the stored value — client-side checks alone are not sufficient:
// API route: verify-age.ts
const { birthYear } = req.body;
const age = new Date().getFullYear() - birthYear;
if (age < 21) return res.status(403).json({ error: 'Age restriction' });
await db.users.update({ where: { id: userId }, data: { ageVerified: true } });
For gambling apps, implement geographic restrictions in addition to age verification — block jurisdictions where gambling is illegal at the API layer, not just the UI layer. Set the rating to 17+ for any app with gambling or alcohol purchasing features.
ID: app-store-privacy-data.children-sensitive.age-gate-restricted-content
Severity: medium
What to look for: Count all relevant instances and enumerate each. Look for age-restricted content in the app: alcohol purchases or content, cannabis/CBD products, gambling, adult content, tobacco, weapons, or other restricted categories. If any restricted category content is detected, look for an age gate implementation: a date-of-birth picker or birth year input before accessing restricted content; a server-side verification of the declared age; a restriction that persists beyond a session (stored server-side, not just a localStorage flag). Common weak patterns: modal asking "Are you 21?" with Yes/No buttons (trivially bypassed, rejected by platforms); client-side only age check (bypassed by disabling JS or manipulating state); age gate on the app launch but not on individual restricted content items. For alcohol apps on iOS, Apple requires a "17+" rating AND explicit age verification. For gambling apps, Apple requires "17+" rating AND geographic restriction enforcement. Check if the app has minAge or similar field in user profiles stored server-side.
Pass criteria: Restricted content is gated behind a non-trivial age verification mechanism that is at least partially server-side enforced. At least 1 implementation must be verified. The gate cannot be trivially bypassed by tapping "Yes" in a modal.
Fail criteria: Restricted content present with no age gate; age gate is trivially bypassable (Yes/No modal); age gate is client-side only; app contains alcohol/gambling content without the appropriate age rating.
Skip (N/A) when: App has no restricted content (no alcohol, gambling, adult content, cannabis, tobacco, or weapons).
Detail on fail: "App sells alcohol but age gate is a simple 'Are you 21?' modal with Yes/No buttons — trivially bypassed and will not satisfy store requirements" or "Gambling feature detected with no age gate and app rated 12+ — gambling content requires 17+ rating and age verification"
Remediation: Platform policies require real age verification for restricted content, not just a confirmation dialog.
Review the configuration in src/ or app/ directory for implementation patterns.