IAP Shield

Prevent App Store payment bans before submission.

The problem: Stripe encourages developers to migrate off Apple IAP. Apple terminates apps for this. Stripe ghosts them. There's no tooling to detect violations before submission. Until now.

$ npx iap-shield scan

CRITICAL: Stripe SDK in iOS app

Rule: APPLE_3_1_1_STRIPE_SDK

File: src/payments/checkout.ts:42:1

import Stripe from "stripe"

Fix: Use Apple IAP for digital goods.

---

1 critical, 0 warnings

Install

npx iap-shield scan

Or install globally:

npm install -g iap-shield
iap-shield scan ./src

What It Detects

Category	Examples
Stripe SDK	`stripe`, `@stripe/stripe-react-native`, `flutter_stripe`
Checkout URLs	`checkout.stripe.com`, `buy.stripe.com`
Payment Copy	"subscribe on our website", "pay on web"
API Calls	`createCheckoutSession`, `confirmPayment`

How It Works

IAP Shield is a static analysis tool. It scans your source files for patterns that violate Apple's App Store payment guidelines.

Scans .ts, .tsx, .js, .jsx, .swift, .dart files
Pattern matches against known violation signatures
Reports findings with file, line, and fix suggestions

Fully offline. No network requests. No data collection. Your code never leaves your machine.

CI/CD Integration

# GitHub Actions
- run: npx iap-shield scan --ci

# The --ci flag exits with code 1 on violations

Apple Guideline 3.1.1

Digital goods must use Apple In-App Purchase. External payment links, Stripe SDKs, and "subscribe on web" copy can get your app terminated.

Read the full guideline →

Correct Architecture

iOS App  →  Apple IAP (digital goods)
Web App  →  Stripe (all payments)
Backend  →  Unified entitlement service