>1.6 Apps should implement appropriate security measures to ensure proper handling of user information collected pursuant

Why do you assume they're not doing that? Why do you believe storing 3rd party account access information is inherently insecure? It's not.

> 4.1 Come up with your own ideas ... Don’t simply copy the latest popular app on the App Store, or make some minor changes to another app’s name or UI and pass it off as your own.

Why would the whole copyright-fair-use-deal not be the standard here? The app in question is absolutely transformative - it's the entire reason people would ever download it.

>5.1.1 See 1.6, it's the same exact reasoning. There is nothing the app does that is inherently insecure or privacy-destroying from a conceptual perspective. Is there something specific in this monstrously-large section you'd like to call out?

>5.2.2 + 5.2.3

Ah, you're actually right here! I don't actually remember seeing 5.2.2 before. OG does violate Apple's developer guidelines. Interesting.

I think they also statically analyse the code. So who knows what weird thing they did to circumvent auth.

Why would they have to circumvent anything? The app relies on the user providing valid credentials, no circumvention needed. It just has to mimic an official client.

> Why would they have to circumvent anything? The app relies on the user providing valid credentials, no circumvention needed. It just has to mimic an official client.

Somebody else said they're using oauth. Afaik, instagram does not provide a public API. So it seems like they abused oauth for that?

Presumably "abusing" OAuth means they've just extracted the client ID and client secret from the official app, thus pretending to be the official app to the API.

There's no other way to "abuse" OAuth other than pretending to be an already-authorized client, and obtaining that authorization still ultimately relies on getting the user's username & password and would only be limited to what the client you're impersonating is allowed to access.