@denbesten, yes, you're right about the code reviews being out of (ISC)2's scope, so I'll rephrase my line:
'...when determining eligibility for CPEs, I do hope (ISC)2 will take into consideration the app's security, and not just its functionality.'
Hahaha. Great question. Once it is in a complete state, it should be a good candidate for credit.
Funny you should say that because I've debated doing a CISSP specific study version that would eventually be offered in VR.
The security of the app itself is very straightforward and it gets the basic scrutiny of all apps submitted to the Google Play Store, where it now sits as an internal test.