Does Apple allow live updates without App Store review?
The direct answer, quoted from Apple’s own guidelines: yes, within limits. What guideline 2.5.2 permits for over-the-air updates, how Apple enforces the line, and how to stay compliant with Capacitor.
Short answer: yes — Apple explicitly allows over-the-air updates to a specific kind of code, and it has for years. The confusion comes from conflating “live updates” (fine) with “downloading native executable code” (not fine). This is the direct answer, quoted from Apple's own guidelines, and what it means for a Capacitor app.
The permission lives in App Store Review Guideline 2.5.2. It carves out an exception for code run by WebKit or JavaScriptCore — which is exactly where your Capacitor web layer runs.
What guideline 2.5.2 actually says
The guideline prohibits apps from downloading, installing, or executing code that changes the app's features or functionality — with an explicit exception: code executed by Apple's built-in WebKit framework or JavaScriptCore, provided it doesn't change the app's primary purpose, add store-like features, or violate other guidelines. Your JavaScript, HTML, and CSS run in WebKit. That's the exception, and it's deliberate. We break down the exact wording in guideline 2.5.2 explained.
Where the line is
- Allowed: updating your web-layer code — bug fixes, UI changes, new screens built from your existing web stack.
- Not allowed: downloading native binaries, or using an update to change what the app fundamentally is (turning a notes app into a casino).
Capacitor OTA updates ship the first category and none of the second, which is why they sit squarely inside the exception. See app-store-compliant OTA updates.
How Apple enforces it
Enforcement is about substance, not the mere existence of updates. An app that quietly becomes a different product after approval is the target — not an app that fixes a bug over the air. Keep updates within your app's stated purpose and you're on the right side of it.
Don't use OTA to sneak past review something that would have been rejected. That's the one behavior the guideline exists to stop, and it's how apps get pulled. Ship the same app you'd have submitted — just faster.
Where to go next
See the Android answer, and updating without repeat review for the practical workflow.