APPLE VS VIBE CODING: THE WALLED GARDEN FIGHTS BACK

Apple removed “Anything” — a $100M vibe coding app — from the App Store and blocked updates for Replit and Vibecode. The AI app-building era just hit its first major wall. Here’s what happened, what it means, and why security is the angle no one is talking about.

Timeline of Events

• Sep 2025 — Anything raises $11M at $100M valuation
• Nov 2025 — Anything launches on iOS — no issues with App Review
• Dec 2025 — Apple quietly starts blocking Anything updates
• Mar 18, 2026 — Apple blocks updates for Replit and Vibecode, citing Guideline 2.5.2
• Mar 26, 2026 — Apple removes Anything from the App Store entirely
• Mar 30, 2026 — Founder confirms web-view workaround was also rejected

What Happened

Anything let anyone build iOS apps using natural language prompts — no coding required. The app launched in November 2025 and quickly gained traction, with its founder Dhruv Amin stating it had been “used to publish thousands of apps in the App Store.”

Then Apple started enforcing Guideline 2.5.2:

“Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps.”

Amin tried to comply by routing app previews through a web browser instead of running them in-app. Apple rejected the update and pulled the app entirely on March 26.

The same enforcement hit Replit and Vibecode. Both had updates blocked starting March 18. Apple indicated Replit might be approved if it opens generated apps in an external browser, and Vibecode if it removes the ability to generate software for Apple devices.

Who’s Affected

The Security Angle No One Is Talking About

The coverage focuses on Apple’s control vs developer freedom. But there’s a security story underneath that matters more for users.

Thousands of apps were published through Anything with zero security review. Amin confirmed “thousands of apps” were built and published via the tool. These apps were generated by prompts from people with no coding experience — the exact profile that produces the worst security outcomes.

We’ve seen what happens with vibe-coded apps at scale. In our February 2026 analysis, 170+ Lovable-built apps had completely exposed databases out of 1,645 scanned. The same vulnerability patterns appear across every vibe coding tool:

What vibe-coded iOS apps likely contain

• Hardcoded API keys in client bundles
• Missing server-side auth (UI-only guards)
• Exposed database endpoints
• No input validation or rate limiting
• Permissive CORS allowing any origin

Why this is worse on mobile

• Users trust App Store apps more than websites
• iOS apps often request sensitive permissions
• No browser DevTools for users to inspect traffic
• App Store “approval” implies security review (it doesn’t)
• Harder to update/patch than web apps

What This Means for Vibe Coders

Web-first is now the safe bet

Lovable, Bolt, and Cursor aren’t affected because they target web deployment, not the App Store. If you’re building with AI tools, deploy to the web first — you can always wrap it in a PWA or Capacitor later.

Security scanning is now non-negotiable

Whether Apple blocks your app or not, the vulnerabilities are real. Every vibe-coded app should be scanned before deployment — especially if it handles user data, payments, or authentication.

Apple’s review was never a security guarantee

App Store review checks for policy compliance, not security vulnerabilities. Thousands of insecure apps pass review every day. The Anything removal is about code execution rules, not about protecting users from bad security.