- The only place this build existed was Apple's review process — and a session just appeared.
- What arrived was an anonymous production session: a journey, popup dismissals, placeholder taps, multi-second dwells. Real telemetry, no identity.
- Device context pointed at a US, Los-Angeles configuration — that is how a device was set up, not proof of where anyone was or who they were.
- I observed the session. I did not, and could not, identify the person behind it. 'Likely' is the strongest honest word.
Definitions used in this guide
The sequence of user actions, route changes, and requests that happened before an error fired.
A normalized signature that groups repeated failures together even when line numbers or values vary slightly.
A plain-English explanation of who was affected, what they were doing, and why the error matters to the business.
The build existed in exactly one place
I am a solo developer. I work from South Africa, in a timezone that is nowhere near California. The build I had just submitted to Apple had zero TestFlight testers — not a small number, zero. I had not handed it to a friend, a beta group, or a second device. It carried the Crossdeck SDK because every build I ship does, and the same anonymous production telemetry that fires for any install was live the moment that binary ran.
So when I refreshed Crossdeck Live out of habit and saw a fresh session that was not mine, I had to sit with one fact before anything else: the only place this build exists is Apple's review process — and a session just appeared. There was no other surface it could have come from. No public release, no testers, no second device of my own. One submission, in review, and a visitor I had never seen.
I want to be precise about what that is and what it is not. It is anonymous production telemetry — the same shape Crossdeck records for any first-time visitor. It is not a name. It is not a person I can point at. It is a session.
What I actually saw
The session read as deliberate in a way my own use never does. A fresh anonymous identity with no prior history opened the app and started walking the surface: open a screen, exercise it, dismiss the popup that appeared, move to the next. There were multi-second dwells where a real human-shaped pause sat on a screen, then a tap on a placeholder element that does nothing useful — the kind of thing only someone systematically checking coverage would bother to touch.
I watched the journey assemble screen by screen in Live: the path through the app, the dismissals, the time spent. None of it was labelled 'App Review.' There is no flag on a session that says that. I was reading anonymous telemetry and inferring, from timing and context, that this session likely came from the review pipeline.
- A fresh anonymous identity — no earlier visits, no
identify()call, no customer record. - A methodical, walk-the-surface pattern: open, exercise, dismiss, advance — coverage, not a customer's goal-directed path.
- Popup dismissals and a tap on a non-functional placeholder element.
- Multi-second dwells on individual screens, then movement onward.
- US device context — frequently the
America/Los_Angelestimezone — which is device configuration, not proven location and not identity.
The deduction — and exactly where it stops
The deduction almost makes itself. A build that has shipped nowhere, with no testers, produces traffic that walks the app methodically from a US-configured device during the exact window it sits 'In Review.' Every signal points the same direction. It is a likely review session, and I will happily say so.
But here is the line, and it is load-bearing, so I will state it plainly. I observed an anonymous session. I did not identify a reviewer. Crossdeck does not name, watch, or track the person behind a session, and it cannot. The US, Los-Angeles context tells me how a device was configured — it is not proof of where that device physically was, and it is certainly not proof of who held it. The methodical pattern is a hint, not a fingerprint. None of these signals is proof; they raise the probability, they do not confirm it.
So I hold the conclusion loosely. The session is real. The behaviour is real. The errors that fire are real and fixable. The identity behind it is, and stays, unknown — by design. 'Likely' is the strongest honest word I have, and I am not going to reach past it.
Why this matters to anyone who has refresh-spammed App Store Connect
If you have ever submitted a build and then sat there reloading App Store Connect, you know the particular helplessness of it. Your app is running on a device you cannot see, being exercised by a process you cannot watch, and when the decision comes back — especially a rejection — it is usually a guideline number and maybe a screenshot. You are asked to fix something you were not in the room for.
What changed for me was not that I could see a reviewer. I cannot, and I would not want a product that claimed to. What changed is that the session that build produced is a first-class record I can open: the journey, the dwell, the dismissals, and any error that fired. When feedback arrives, I can read it beside the anonymous session that produced it instead of guessing. Not every review produces a deep human session — automated checks may dominate, and some reviews leave little human-shaped data behind. This is an observation tool, not a guarantee, and not a way to always know why you were rejected.
That is the whole story. A build that existed only inside Apple's review process sent back an anonymous session, I observed it, and for the first time the black box had a little light in it. If you want the practical version — how to recognize a likely review session and turn it into a fix — that is the App Review sessions guide. If you want the forensic, why-was-I-rejected angle, read Why did Apple reject my app? and the step-by-step forensics guide. And if you have not shipped a build with the SDK yet, the iOS quickstart is the fifteen-minute version — so your next submission is visible too.
Frequently asked questions
Did you identify the Apple reviewer?
No. I observed an anonymous production session — a journey, dwell times, dismissals, and any errors that fired. Crossdeck does not name, watch, or track the person behind a session, and it cannot. I observed the session; I never identified a reviewer.
How did you know the session came from App Review?
I did not know with certainty — I inferred it. The build had shipped nowhere and had zero TestFlight testers, yet a fresh anonymous session walked the app methodically from a US-configured device during the window it sat 'In Review.' Those signals make it a likely review session. 'Likely' is the strongest honest word; the signals raise probability, they do not confirm it.
Doesn't the Los Angeles timezone prove it was Apple?
No. Timezone and region are device configuration — they tell you how a device was set up, not where it physically was or who held it. US, Los-Angeles context is consistent with a review device, but it is not proof of location and it is not identity.
Will every submission produce a session like this?
No. Not every review produces a deep, human-shaped session. Automated checks may dominate a given review, and some reviews leave little or no human session data behind. This is an observation tool, not a guarantee that you will always see what happened.
Does Crossdeck work across iOS, Android, and web?
Yes. Crossdeck is designed around one customer timeline across Apple, Google Play, Stripe, and web or mobile product events, so the same entitlement and revenue model can travel across surfaces.
Take this into the product
Read the full guide on recognizing a likely review session and running rejection forensics — then add the SDK so your next submission is visible too.