Technical Due Diligence for Mobile Apps: What to Check Before Acquiring

Mobile app acquisitions have risks that don't exist in web software. You're operating inside platforms (Apple and Google) that make the rules, can change them, and can remove your product. The technical due diligence needs to account for platform risk, not just code quality.

This guide covers the specific evaluation challenges of acquiring iOS, Android, or cross-platform mobile apps.

Platform dependency risk

App store standing

The first thing to check: what is the app's current standing with Apple App Store and Google Play?

• Are there any active policy violations or warnings?
• Has the app ever been removed or suspended? Why?
• Are there open review rejections that indicate ongoing compliance issues?
• Does the app's current implementation comply with current guidelines? (Guidelines change; an old app may be grandfathered but vulnerable)

Request access to: App Store Connect and Google Play Console before close, not screenshots.

Apple's in-app purchase rules

Apple requires apps to use its IAP system for digital goods and services. The 30% (or 15% for small developers) commission applies. This is non-negotiable for consumer apps selling digital content.

What to verify:

• Does the app sell digital goods? Are they going through Apple IAP?
• Are there any workarounds (directing users to a web payment) that violate guidelines?
• Has the app received any warnings about IAP compliance?

An app generating ₹1Cr/month in revenue through a non-compliant payment flow is one App Review cycle away from a forced change or removal.

SDK and library dependencies

Mobile apps depend on third-party SDKs for analytics, crash reporting, push notifications, and more. Each is a risk:

• What SDKs are in use? When were they last updated?
• Are any SDKs deprecated or abandoned?
• Does any SDK collect data in ways that may violate current App Store privacy requirements (ATT framework)?
• Are there any SDKs with known security vulnerabilities?

Run a dependency audit. Old, unupdated SDKs are a common source of App Review rejections.

In-app purchase and subscription infrastructure

Subscription reliability

If the app has subscriptions:

• How are subscription receipts validated? (Server-side validation is required; client-side only is a security risk)
• What happens when a subscription lapses? Is access revoked correctly?
• Are subscription renewals handled gracefully across both platforms?
• What is the subscription renewal failure rate? (Platform-side payment failures are common)

Revenue reconciliation

App store revenue is subject to a 30% platform cut and delayed payouts. Verify:

• Does reported revenue represent gross (before platform cut) or net?
• Are the App Store Connect and Google Play Console revenue figures consistent with what's been presented?
• Are there geographic revenue concentrations that create tax or regulatory considerations?

User metrics verification

Mobile user metrics are frequently inflated. Here's how to verify:

DAU/MAU ratio

• A healthy consumer app has a DAU/MAU ratio above 20%
• Below 10% indicates low retention — users install and rarely return
• Above 50% indicates strong habitual use

Install quality

• What is the source breakdown of installs? (Organic, paid UA, ASO)
• What is the D1/D7/D30 retention rate? (How many users are still active 1/7/30 days after install)
• What is the uninstall rate? High uninstalls after first session indicate an onboarding problem

Revenue per active user

• Calculate revenue divided by MAU. Compare to industry benchmarks for the category.
• A mismatch between high MAU and low revenue often indicates low-quality user acquisition (incentivized installs, fake reviews boosting downloads)

Red flag: Apps with millions of downloads and negligible revenue. Downloads without engagement are worthless in an acquisition.

Technical architecture evaluation

iOS and Android codebase split

Architecture	Maintenance overhead	Risk
Native iOS + Native Android	High — two full codebases	Requires two platform-specialized teams
React Native	Medium — shared JS, platform bridges	Bridge maintenance, upgrade complexity
Flutter	Medium — Dart codebase	Smaller talent pool than React Native
Ionic/Capacitor	Lower complexity, lower performance	Heavy WebView dependency

For acquired cross-platform apps: Ask specifically how much platform-specific (iOS/Android) native code has been written outside the shared layer. Mature cross-platform apps often accumulate significant native workarounds that reduce the maintenance benefit.

Offline architecture

Does the app work offline? This is often a quality differentiator:

• What data is cached locally?
• How is local data synced when connectivity returns?
• How are sync conflicts resolved?
• Is the offline experience intentional or a happy accident?

A poorly designed offline sync system is one of the most expensive things to retrofit.

Push notification infrastructure

Push notifications are critical for retention in most mobile apps:

• What service handles push? (FCM for Android, APNs for iOS, or an abstraction layer like OneSignal/Braze)
• What is the delivery rate? (Industry benchmark: 95%+ for direct sends)
• Are there retention campaigns running? When were they last reviewed?
• Are push tokens being cleaned up when users uninstall or revoke permissions?

A 40% push delivery rate indicates stale tokens, poor segmentation, or infrastructure issues.

Crash rate

Request crash data from the current crash reporting tool (Firebase Crashlytics, Sentry, etc.):

• What is the crash-free sessions rate? Industry standard: 99.5%+ for production apps
• Are there known crash issues being deferred?
• What is the crash rate by OS version? (Crashes concentrated on specific OS versions indicate untested compatibility)

A crash rate above 0.5% in a consumer app is significant — users who experience crashes don't return.

App store metrics and ratings

• Average rating: Below 4.0 is a churn driver. Below 3.5 actively suppresses organic discovery.
• Review sentiment: Read the 1-star reviews. They're an unfiltered product feedback channel. Look for patterns.
• Rating recency: An app with a 4.5 rating from 2021 and 3.2 from recent reviews has a declining trajectory.
• Response rate: Does the team respond to reviews? Low response rate indicates low engagement with user feedback.

Post-acquisition operational considerations

• Developer account transfer: Apple and Google developer accounts are not straightforwardly transferable. Plan the transfer process — binary transfers (transferring ownership within the same account) are simpler than full account transfers.
• Signing certificates and keys: The app signing keys must be securely transferred. Losing them requires resubmitting the app as a new binary — which can cause user disruption.
• Push notification certificates: APNs certificates and FCM configurations must be transferred and updated.

---

Need this done for you?

Mobile app acquisitions have platform dependencies that can make or break the deal — and user metric numbers that are easy to inflate. Hunchbite conducts mobile-specific technical due diligence across iOS, Android, and cross-platform apps. Platform risk, metric authenticity, backend infrastructure quality, and a written report you can use before signing.

→ Technical Due Diligence Service

Call +91 90358 61690 · Book a free call · Contact form