App does not request all permissions immediately on first launch
Why it matters
Requesting camera, location, and notification permissions simultaneously on first launch is one of Apple's most-cited rejection reasons under guideline 5.1.1 (data collection and storage). Users who see a permission flood immediately deny everything, and reviewers interpret it as a sign the developer hasn't thought about why each permission is actually needed. More practically: a user who denies all permissions on first launch may never see the feature that needs them, making the permission useless. Contextual permission requests — asked at the moment the feature is first triggered — produce dramatically higher grant rates and clearer justification.
Severity rationale
Medium because permission floods are a documented rejection trigger under Apple guideline 5.1.1, though the app may still function if users deny.
Remediation
Move each permission request to the exact moment the user first triggers the feature that needs it — not in App.tsx on mount.
// src/screens/CameraScreen.tsx
async function handleTakePhoto() {
const { status } = await Camera.requestCameraPermissionsAsync();
if (status !== 'granted') {
Alert.alert('Camera access needed', 'Please enable camera access in Settings to take photos.');
return;
}
// proceed with camera
}
For notifications, add a pre-permission screen explaining the value ("Get alerts when your order ships") before calling requestPermissionsAsync(). Never fire multiple permission requests in parallel with Promise.all().
Detection
-
ID:
no-excessive-permissions-launch -
Severity:
medium -
What to look for: Count all relevant instances and enumerate each. Check the app's onboarding flow and root component for permission requests fired on mount:
PermissionsAndroid.request(),requestPermissionsAsync(),expo-locationrequestForegroundPermissionsAsync(),expo-camerarequestCameraPermissionsAsync(),expo-notificationsrequestPermissionsAsync(),AVCaptureDevice.requestAccess()(iOS),UNUserNotificationCenter.requestAuthorization(). Count how many distinct permission requests appear in the first 3 seconds of app use. Look for patterns that fire multiple permission requests simultaneously (parallel async calls for camera, location, contacts, and notifications all before any user action). -
Pass criteria: The app requests each permission only at the moment it is first needed (contextual), not all at once on first launch. At least 1 implementation must be verified. If multiple permissions are needed, they are requested sequentially at relevant moments.
-
Fail criteria: Two or more unrelated permissions requested within the first screen of the app (e.g., asking for camera AND location AND notifications before the user has done anything).
-
Skip (N/A) when: App uses zero special permissions (no camera, location, notifications, contacts, etc.).
-
Detail on fail:
"App requests camera, location, and notification permissions simultaneously on first launch in App.tsx before any user interaction" -
Remediation: Requesting all permissions up front is a top reason for rejection on both platforms.
- Move each permission request to the moment the user first triggers that feature:
- Camera: request when user taps "Take Photo"
- Location: request when user enables location-based feature
- Notifications: request after user opts in to alerts, not on first launch
- Add a pre-permission explanation screen that explains WHY the permission is needed before the OS dialog appears
- Never request multiple permissions simultaneously using parallel async calls
Review the configuration in
src/orapp/directory for implementation patterns. - Move each permission request to the moment the user first triggers that feature:
External references
- external · apple-guideline-5.1.1-data-collection — Apple App Store Review Guideline 5.1.1 — Data Collection and Storage (permission context)
Taxons
History
- 2026-04-18·v1.0.0·Initial import from app-store-review-blockers·automated