Meta’s developer platform is fundamentally broken, and it’s forcing developers into an insane security nightmare.
For over two years, a „temporary“ bug has made it impossible to create test accounts for app reviews. This single, persistent failure has spiraled into an absurd and dangerous situation for developers around the world. The official workaround? Meta expects us to give strangers in other countries full, unmitigated access to our real, private Facebook accounts.
This isn’t just an inconvenience; it’s a fundamental breach of privacy and a security nightmare waiting to happen. I’ve spent weeks fighting it, and this is the guide I wish I had.
The Core Problem: Your Private Life for an App Review
To get our apps approved, we are required to provide login credentials to Meta’s review team. Since test accounts are broken, we’re forced to use real accounts.
I refuse to give a stranger my personal email, password, and 2FA codes, granting them access to my private messages, photos, and personal information. In an attempt to comply, I created four separate „dummy“ accounts. Meta’s automated systems flagged and locked every single one.
I am not alone. Reddit, Stack Overflow, and Meta’s own developer forums are littered with thousands of posts from frustrated developers hitting the same brick wall. Many are simply giving up, abandoning their projects because the gatekeeper has locked the gate and thrown away the key.
The Absurdly Complex Workaround: A Step-by-Step Guide
After weeks of frustration, the breakthrough came, as it so often does, from a brilliant Reddit thread where other developers were sharing their war stories. It’s not a fix; it’s a ridiculously complex Rube Goldberg machine of a workaround that proves just how broken the system is.
Here is what it now takes to get an app approved by Meta.
Step 1: Create a High-Stakes Dummy Account
You must create a new, real Facebook account and pray it doesn’t get instantly locked. This account needs to be added as a developer or tester in your Meta Business Suite settings. Make sure this account does not have admin privileges for your business.
Step 2: Engineer a Public 2FA Server
Because reviewers are often in different countries, simple logins frequently fail due to Meta’s own geo-blocking security features. The only reliable way around this is to give them live 2FA codes. To do this, you have to literally build a small web application.
This involves setting up an AWS Lambda function that uses your dummy account’s 2FA secret to generate codes on demand.
Here is the Python code for the Lambda function:
# This Lambda function generates a live 2FA code for your reviewer.
import json
import pyotp
def lambda_handler(event, context):
# Your REAL dummy Facebook account's 2FA secret goes here.
# You can get this by enabling 2FA and decoding the QR code.
secret = 'YOUR_META_FACEBOOK_SECRET'
totp = pyotp.TOTP(secret)
current_otp = totp.now()
return {
'statusCode': 200,
# CORS headers to allow the public webpage to access this.
'headers': {
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Headers': 'Content-Type',
'Access-Control-Allow-Methods': 'OPTIONS,POST,GET'
},
'body': json.dumps({'current_otp': current_otp})
}
You then need to connect this Lambda function to an unsecured, public API Gateway trigger.
Step 3: Host the Public 2FA-Fetching Webpage
Next, you have to host a public webpage on a service like AWS S3. This page has one job: to call your public API and display your live 2FA code to the reviewer when they click a button.
Here is the simple HTML for that page:
<!DOCTYPE html>
<html>
<head>
<title>2FA Code Retriever</title>
<style>
body { font-family: sans-serif; text-align: center; padding-top: 50px; }
#code { font-size: 3em; font-weight: bold; margin: 20px 0; }
button { padding: 15px 30px; font-size: 1.2em; cursor: pointer; }
</style>
</head>
<body>
<h1>Current 2FA Code:</h1>
<div id="code">---</div>
<button onclick="fetchCode()">Fetch Code</button>
<script>
async function fetchCode() {
// Your PUBLIC API Gateway URL goes here.
const apiUrl = 'YOUR_PUBLIC_API_GATEWAY_URL';
try {
const response = await fetch(apiUrl);
const data = await response.json();
document.getElementById('code').innerText = data.current_otp;
} catch (error) {
document.getElementById('code').innerText = 'Error';
console.error('Failed to fetch OTP:', error);
}
}
</script>
</body>
</html>
Step 4: Assemble Your Submission Package
After all that, you must:
- Record a split-screen video meticulously walking the reviewer through your app and how to use your custom-built 2FA-fetching website.
- Explicitly state which country they should test from to avoid geo-blocking issues.
- Write crystal-clear use cases for every permission you’re requesting.
- Pray they follow the instructions perfectly. If you miss a single step, you’re rejected and have to start the whole process over.
Crucial Security Note: Tear It All Down
Once your app has successfully passed the review process, you MUST disable the AWS Lambda function and take down the S3-hosted webpage. This is a critical step to ensure the security of your account and prevent unauthorized access.
This is Unsustainable.
This is unacceptable. Meta, a multi-billion dollar company, apparently cannot spare a few developers to fix the main gateway for its entire app ecosystem. If you no longer wish to provide this service, just say so. Then thousands of us can stop wasting our time, money, and sanity trying to navigate a system that feels intentionally broken.
It currently takes more time and engineering effort to pass this review process than it does to build the actual app features. This is wasting countless developer hours, killing innovation, and creating glaring security holes.
This isn’t a niche complaint. It’s a systemic failure.
Further Reading & Sources
For those deep in this battle, here are some of the resources I found invaluable during my research:
- The Original Reddit Workaround: The brilliant thread that details the full AWS Lambda and S3 solution.
- Meta Developer Forum Discussion: Proof that developers have been reporting this ‚test user‘ bug for years.
- Stack Overflow on Reviewer Logins: More technical discussion on the challenges of getting reviewers logged in.
Let’s Demand a Fix
If you’re as frustrated by this as I am, please share this article. Let’s make enough noise that this issue can no longer be ignored.