iap-shield
v1.0.2
Published
Prevent App Store payment bans by detecting Stripe and external billing violations before submission.
Maintainers
jarredt6Readme
IAP Shield
Prevent App Store payment bans by detecting Stripe and external billing violations before submission.
The Problem
Stripe encourages developers to migrate off Apple IAP to web billing. Apple terminates apps for this. Stripe ghosts them.
There's no tooling to detect App Store payment violations before submission.
Until now.
Install
npm install -g iap-shieldOr run directly:
npx iap-shield scanUsage
# Scan current directory
iap-shield scan
# Scan specific path
iap-shield scan ./src
# CI mode (exit 1 on violations)
iap-shield scan --ci
# JSON output for tooling
iap-shield scan --jsonExample Output
IAP Shield v0.1.0
CRITICAL: Stripe SDK in iOS app
Rule: APPLE_3_1_1_STRIPE_SDK
File: src/payments/checkout.ts:42:1
import Stripe from "stripe"
Fix: Use Apple IAP for digital goods. Route Stripe to web-only checkout.
Guideline: https://developer.apple.com/app-store/review/guidelines/#payments
---
1 critical, 0 warnings
Scanned 127 files in 234msWhat It Detects
| Category | Examples |
|----------|----------|
| Stripe SDK | stripe, @stripe/stripe-js, @stripe/stripe-react-native |
| Checkout URLs | checkout.stripe.com, buy.stripe.com, billing.stripe.com |
| Payment Copy | "subscribe on our website", "pay on web", "upgrade at" |
| API Calls | createCheckoutSession, paymentIntents.create, confirmPayment |
How It Works
IAP Shield is a static analysis tool. It scans your source files for patterns that violate Apple's App Store payment guidelines.
What it does:
- Reads
.ts,.tsx,.js,.jsx,.swift,.dartfiles - Pattern matches against known violation signatures
- Reports findings with file, line, and fix suggestions
What it does NOT do:
- No network requests (fully offline)
- No code execution
- No data collection
- No file modifications
Your code never leaves your machine.
CI/CD Integration
GitHub Actions
name: App Store Compliance
on: [push, pull_request]
jobs:
compliance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npx iap-shield scan --ciGitLab CI
compliance:
image: node:20
script:
- npx iap-shield scan --ciBitbucket Pipelines
pipelines:
default:
- step:
name: App Store Compliance
image: node:20
script:
- npx iap-shield scan --ciPre-commit Hook
# .husky/pre-commit
npx iap-shield scan --ciThe --ci flag exits with code 1 if critical violations are found, failing your build.
Apple Guidelines Reference
Rule 3.1.1 - In-App Purchase Required
Apps may not use their own mechanisms to unlock content or functionality, such as license keys, augmented reality markers, QR codes, cryptocurrencies and cryptocurrency wallets, etc. Apps and their metadata may not include buttons, external links, or other calls to action that direct customers to purchasing mechanisms other than in-app purchase.
Applies to:
- Subscriptions
- Premium features
- Virtual items
- Digital content
Does NOT apply to:
- Physical goods
- Ride sharing
- Food delivery
- Reader apps (with exceptions)
Source: https://developer.apple.com/app-store/review/guidelines/#payments
Correct Architecture
If you need both Apple IAP and Stripe:
iOS App -> Apple IAP (digital goods)
Web App -> Stripe (all payments)
Backend -> Unified entitlement serviceNever route Stripe payments through your iOS app for digital goods.
Development
git clone https://github.com/jtaylortech/iap-shield.git
cd iap-shield
npm install
npm run build
npm testRoadmap
- [x] Flutter/Dart support
- [ ] Swift static analysis
- [ ] Custom rule definitions
- [ ] GitHub Action (marketplace)
- [ ] VS Code extension
If there's demand, we're considering:
- Live policy update feed (rules change as Apple updates guidelines)
- CI dashboard with scan history
- Team/org management for enterprise
Open an issue or star the repo if these would be useful.
Contributing
PRs welcome. See CONTRIBUTING.md.
License
MIT