> I find it strange that a private API can be used accidentally, without something notifying the developer before they’ve gotten to the stage of submitting their app.
It's difficult to use private API accidentally. However, it is possible to use a dependency that purposefully uses private API, which is what happened here.
> Do they provide automated tools for developers to use?
No.
> Or a flag that fails your build if you’re trying to call private APIs
Kinda, but that doesn't help you if your dependency is trying really hard to use that API and has been precompiled.
> For that matter, how are the reviewers catching these API usages?
They're running somewhat stupid static analysis and possibly some dynamic analysis? They don't tell you what they do but they're not very good at it and don't generally catch even basic obfuscation. However, if a human finds your private API usage and you look like you're trying to obfuscate it, they won't be nearly as lenient.
It's difficult to use private API accidentally. However, it is possible to use a dependency that purposefully uses private API, which is what happened here.
> Do they provide automated tools for developers to use?
No.
> Or a flag that fails your build if you’re trying to call private APIs
Kinda, but that doesn't help you if your dependency is trying really hard to use that API and has been precompiled.
> For that matter, how are the reviewers catching these API usages?
They're running somewhat stupid static analysis and possibly some dynamic analysis? They don't tell you what they do but they're not very good at it and don't generally catch even basic obfuscation. However, if a human finds your private API usage and you look like you're trying to obfuscate it, they won't be nearly as lenient.