You built an app with Cursor in a weekend. Maybe Lovable or Bolt. It works, it looks decent, and you're ready to ship. But between “it runs on my machine” and “it's live on the App Store,” there's a gap that trips up almost every first-time publisher.
Developer accounts, code signing certificates, metadata character limits, screenshot sizes, privacy policies, review guidelines — the publishing process has dozens of requirements that have nothing to do with writing code. And if you miss one, your app gets rejected and you're back to square one.
This checklist covers every step from finished code to live on both the Apple App Store and Google Play. No filler, no theory — just the exact sequence of actions to get your vibe-coded app published. If you want deeper context on why Apple is scrutinizing AI-built apps, read our guide to Apple's vibe coding crackdown first.
Phase 1: Before You Touch the App Stores
The biggest mistake vibe coders make isn't in their store listing — it's shipping code that isn't production-ready. AI-generated code is optimized for the happy path. It works in demos. It breaks in production.[1]
Security Audit (Non-Negotiable)
Research shows 45% of AI-generated code contains security flaws.[2] Before you submit anything, run through this security checklist:
- Remove all hardcoded secrets. AI agents routinely hardcode API keys, database connection strings, and OAuth secrets directly in source files. Move everything to environment variables. Then check your git history — deleted secrets still exist in previous commits.
- Enable Row Level Security (RLS) on every database table. An audit of apps built with Lovable found 170+ out of 1,645 had completely exposed databases.[3]
- Enforce auth server-side. AI-generated code often checks permissions only on the frontend. Any user with browser dev tools can bypass that. Every API endpoint must verify authentication and authorization independently.
- Add real error handling. Replace generic try/catch blocks with specific error recovery. Log errors to a monitoring service (Sentry, LogRocket) so you know when things break in production.
- Run a security scanner. Tools like Snyk, SonarQube, or the free CISO Vibe Coding Checklist will catch the most common vulnerabilities.
Test on Real Devices
Simulators lie. AI-generated layouts that look perfect in the Xcode simulator break on iPhone SE screens. Touch targets that work with a mouse don't work with thumbs. Performance that's fine on your M4 Mac crawls on a 3-year-old Android phone.
Test on at least 3 real devices before submitting: a small phone (iPhone SE or equivalent), a large phone (iPhone 16 Pro Max / Pixel 9 Pro), and a tablet if you support one.
Set Up Version Control & CI
If you don't have your code in Git yet, stop and do it now. Without version control, one bad AI suggestion can destroy working code with no way to recover. Set up a basic CI pipeline that runs your build + tests on every push.
Phase 2: Developer Accounts
You need accounts on both platforms before you can submit anything. Start this early — Apple's enrollment can take up to 48 hours.
Apple Developer Program
- Cost: $99 USD/year (recurring).[4]
- What you get: Access to App Store Connect, TestFlight, code signing certificates, provisioning profiles.
- Processing time: Up to 48 hours after payment.
- Tip: Fee waivers are available for eligible nonprofits and educational institutions.
Google Play Console
- Cost: $25 USD one-time (no annual renewal).[5]
- What you get: Access to Play Console, internal/closed/open testing tracks, store listing management.
- New in 2026: Two-step verification required for all accounts. Identity verification now mandatory for new developers.
Phase 3: Metadata — The Words That Determine Your Downloads
Here's where most vibe coders lose: they spend days building the app and 5 minutes on the store listing. But 70% of app installs come from app store searches. Your metadata is what determines whether anyone finds your app.
Apple App Store Metadata
| Field | Limit | Tips |
|---|---|---|
| App Name | 30 characters | Include your primary keyword. This is the #1 ranking factor. |
| Subtitle | 30 characters | Use a secondary keyword. Don't repeat the app name. |
| Keywords | 100 characters | Comma-separated, no spaces after commas. Use all 100 characters. No duplicates of words in your name/subtitle. |
| Description | 4,000 characters | Not indexed for search on iOS, but critical for conversion. Lead with benefits, not features. |
| Promotional Text | 170 characters | Can be updated without a new app version. Use for time-sensitive messaging. |
Google Play Store Metadata
| Field | Limit | Tips |
|---|---|---|
| App Title | 50 characters | Include your primary keyword. Google indexes the title heavily. |
| Short Description | 80 characters | Shown on the store listing. Make it compelling — this is your elevator pitch. |
| Full Description | 4,000 characters | Google indexes this for search. Use your target keywords naturally 3–5 times. Structure with line breaks. |
Don't write metadata by hand. Keyword research and optimization is a discipline, not a guessing game. AI-powered metadata generation can create optimized titles, descriptions, and keywords for both stores in under 60 seconds, hitting the right character limits and keyword density automatically. For keyword strategy, our keyword selection guide breaks down the research process.
Phase 4: Screenshots — Your App's First Impression
Screenshots are the single biggest factor in whether someone taps “Get” or scrolls past. They need to communicate what your app does and why it's valuable — in under 3 seconds.
Required Sizes
| Platform | Device | Size (px) | Count |
|---|---|---|---|
| Apple | iPhone 6.9" | 1290 × 2796 | 1–10 |
| Apple | iPad 13" | 2064 × 2752 | 1–10 |
| Google Play | Phone | 1080 × 1920 | 2–8 |
| Google Play | Tablet 7" | 1080 × 1920 | Up to 8 |
| Google Play | Tablet 10" | 1920 × 1200 | Up to 8 |
Pro tip: Don't screenshot your app and call it done. The best-converting screenshots have a headline describing the benefit, a device frame showing the UI, and a clean background. You can create professional app store screenshots for free with AppDrift's drag-and-drop editor — it supports all device sizes for both iOS and Android with batch export. For design guidance, our screenshots that sell guide covers the conversion psychology.
Phase 5: Privacy & Compliance
Both stores require privacy disclosures. Skip this and you'll be rejected instantly.
Apple Requirements
- Privacy policy URL — must be linked in App Store Connect AND accessible from within the app.[6]
- App Privacy Details (“nutrition labels”) — disclose all data types collected, how they're used, and whether they're linked to identity.
- App Tracking Transparency — if you track users across apps, you must request permission via the ATT framework.
Google Play Requirements
- Privacy policy — must be linked in Play Console and match what the Data Safety Form declares.[7]
- Data Safety Form — a separate form detailing data collection, usage, and processing. Must be filled out before your app can go live.
- AI disclosure — apps using external AI services must disclose this and get user consent.
If you're using a simple privacy policy generator, make sure it accurately reflects your actual data practices. Generic policies that don't match your Data Safety Form disclosures will cause rejection.
Phase 6: Testing
iOS — TestFlight
- Upload your build through Xcode or Transporter.
- Internal testing: Up to 100 testers (team members). Available immediately, no Apple review required.
- External testing: Up to 10,000 testers. Requires Apple's Beta App Review (usually 24–48 hours).
- Builds expire after 90 days.
- Tip: Get at least 5 external testers to use the app for a full day. They'll find bugs your simulator testing missed.
Android — Testing Tracks
- Internal testing: Up to 100 testers. Available in minutes. No review required.
- Closed testing: For new personal developer accounts, Google now requires a mandatory 14-day closed testing period with at least 12 testers before you can publish to production.
- Open testing: Optional public beta.
- Tip: Start your 14-day closed testing window immediately after creating your account. Don't wait until the app is “perfect” — clock starts when you add testers.
Phase 7: Submission
Apple App Store Submission Checklist
- Archive your app in Xcode (Product → Archive).
- Upload to App Store Connect via Xcode or Transporter.
- Fill in all metadata fields (name, subtitle, keywords, description, promotional text).
- Upload screenshots for all required device sizes.
- Set your price and availability (countries, release date).
- Complete the App Privacy Details section.
- Add demo credentials in the App Review Notes field (if login required).
- Select your build and submit for review.
Important (April 2026): Apps must be built with the iOS 26 SDK or later.[8]
Google Play Submission Checklist
- Build your Android App Bundle (.aab format, not APK).
- Upload to Play Console.
- Complete the store listing (title, descriptions, screenshots, feature graphic).
- Fill out the Data Safety Form.
- Complete the content rating questionnaire.
- Set pricing and distribution (countries, devices).
- If new personal account: complete 14-day closed testing with 12+ testers first.
- Submit for review.
Important (2026): Apps must target Android 14 (API level 34) or higher. Play App Signing is mandatory.
Phase 8: After Approval — Don't Stop Here
Getting approved is the starting line, not the finish. The first 72 hours after launch are critical for algorithmic ranking on both stores.
Immediate Post-Launch Actions
- Monitor crash reports in App Store Connect and Play Console. Fix any crashes within 24 hours.
- Respond to every review within the first week. Early ratings heavily influence your app's visibility.
- Share your launch on relevant communities (Reddit, Twitter/X, Product Hunt, Indie Hackers). The initial download velocity signals quality to both stores' algorithms.
The Growth Lever Most Vibe Coders Ignore: Localization
Your app listing probably only exists in English. That means you're invisible to 75% of global smartphone users. Localizing your metadata into even 10 languages can double your organic downloads.
AI-powered metadata translation can localize your app listing into 40+ languages with cultural adaptation — not just word-for-word translation, but keywords and phrasing that match how local users actually search. It's the single highest-leverage growth action for indie developers. For the full strategy, read our global launch guide.
Quick Reference: Apple vs. Google Play at a Glance
| Requirement | Apple App Store | Google Play |
|---|---|---|
| Developer Fee | $99/year | $25 one-time |
| App Name Limit | 30 characters | 50 characters |
| Description Limit | 4,000 characters | 4,000 characters |
| Keywords | 100-char dedicated field | Extracted from description |
| Screenshot Count | 1–10 per device | 2–8 per device |
| Primary Screenshot Size | 1290 × 2796 | 1080 × 1920 |
| Review Time (normal) | 24–48 hours | Hours to a few days |
| Review Time (March 2026) | 7–30+ days | Standard |
| Testing | TestFlight (10K external) | Internal / Closed / Open tracks |
| App Format | .ipa via Xcode | .aab (App Bundle) |
| Privacy | Policy + App Privacy Details | Policy + Data Safety Form |
Frequently Asked Questions
How much does it cost to publish an app to the App Store?
Apple charges $99/year for a Developer Program membership. Google Play charges a one-time $25 registration fee. There are no per-app submission fees on either platform. Fee waivers are available from Apple for eligible nonprofits and educational institutions.
How long does App Store review take in 2026?
Apple's standard review time is 24–48 hours, but the surge in vibe-coded app submissions pushed wait times to 7–30+ days in March 2026. Submitting a complete, well-tested app with demo credentials and no placeholder content can help speed up the process. Google Play review typically takes hours to a few days.
Can I publish an app built with Cursor or Lovable?
Yes. Apps built with AI coding tools can be published normally as long as they compile to native binaries and don't execute dynamically generated code at runtime. Apple's crackdown targets runtime code execution platforms (like Replit's in-app builder), not apps that were developed using AI tools. For the full context, read our guide to Apple's vibe coding crackdown.
What are the most common reasons for app rejection?
The top reasons are: incomplete app content or placeholder text (Guideline 2.1), privacy policy violations, insufficient native functionality / web view wrappers (Guideline 4.2), spam or duplicate apps (Guideline 4.3), crashes or performance issues, and missing demo credentials for apps that require login. Following this checklist addresses all of these.
Do I need a privacy policy for my app?
Yes, on both platforms. Apple requires a privacy policy URL in App Store Connect and within the app itself, plus completed App Privacy Details. Google Play requires a privacy policy and a separate Data Safety Form. Using a generic policy that doesn't match your actual data practices will cause rejection.