Hello everyone,
Our app was recently rejected under Guideline 5.0 – Legal (U.S. Sanctions Compliance). Apple review reported that the binary contains the following domain:
https://lib.eshia.ir
However, after extensive investigation:
• The app does NOT connect to this domain • The app does NOT provide services to sanctioned regions • The domain does NOT exist in our source code, API calls, or UI • Network logs confirm no outgoing requests to this host
We suspect the reference is coming from a bundled third-party dependency dataset (possibly a public suffix / domain validation / fraud detection list embedded in a framework).
We already:
- Extracted IPA
- Scanned all source files
- Ran
stringson the main binary - Checked networking layer
But we still cannot identify which framework contains this entry.
Questions:
- Has anyone faced a sanctions rejection due to a domain inside a compiled SDK dataset?
- Is Apple expecting removal of the exact string from the binary even if unused?
- How do you typically identify the specific framework containing the string?
- Is it acceptable to strip the string from the binary or must the dependency be removed entirely?
We are preparing a compliance fix and want to ensure the correct approach before resubmitting.
Any guidance would be greatly appreciated.
Thanks!