App is repeatedly rejected under Guideline 2.5.1 for referencing the private API:_SecCertificateIsValid
Reported custom framework CommonLibrary.framework.
The SDK is written in Objective-C and uses only public Security APIs. It does not use any deprecated APIs. We have verified the framework binary using nm, otool, and strings, and _SecCertificateIsValid does not appear in exported or hidden symbols. Bitcode is disabled, dead-code stripping is enabled, and the Release build uses -Os.
Despite this, App Store Connect continues to detect _SecCertificateIsValid. We have attached herewith screenshots of our analysis for the reference.
Can Apple’s server-side analysis or Security.framework internals still surface _SecCertificateIsValid? Is there a recommended way for SDK authors to prevent this symbol from being flagged?