[Bug report] Binary of MLKitTextRecognitionCommon 5.0.0 includes URL linked to sanctioned country (https://nic.ir.md)

[CCB-cerivera]

Describe the bug
Hello,
We’re using a third-party SDK (MLKit) in our React Native project, which depends on MLKitTextRecognitionCommon 5.0.0. During Apple App Store review, our app was rejected under guideline 5.0 - Legal, due to the presence of the following prohibited URL found inside the binary:

https://nic.ir.md

This URL appears inside:

Pods/MLKitTextRecognitionCommon/Frameworks/MLKitTextRecognitionCommon.framework/MLKitTextRecognitionCommon

This may be part of a public suffix list embedded in the binary, possibly in relation to domain validation logic.

As Iran is a U.S.-sanctioned country, Apple refuses to accept any references to it — even in unused metadata or strings — and explicitly flagged this URL as a blocker.

Can you please confirm if:

This string is intentionally included by Google in this MLKit release?

A new release can be issued with this reference removed or sanitized?

We are unable to publish the app while this string remains inside the framework.

Steps to Reproduce:

Add MLKitTextRecognitionCommon via CocoaPods (~> 5.0.0)

Build the project

Run: strings MLKitTextRecognitionCommon | grep -i 'nic.ir'

Thanks in advance. This affects distribution of apps in the Apple App Store.

To Reproduce
This is not a runtime issue or code error, but rather a binary content issue that leads to Apple App Store rejection due to legal/sanction compliance.

You can reproduce the issue as follows:

Add the following to a Podfile:

pod 'MLKitTextRecognition', '~> 6.0'

Run:

pod install

Locate the MLKitTextRecognitionCommon binary:

cd ios/Pods/MLKitTextRecognitionCommon/Frameworks/MLKitTextRecognitionCommon.framework

Use strings to inspect the binary:

strings MLKitTextRecognitionCommon | grep -i 'nic.ir'

You'll see output such as:

// ir.md : https://nic.ir.md

This results in App Store rejection under Guideline 5.0 - Legal, as Apple prohibits inclusion of references to sanctioned countries (Iran in this case), even in static metadata.

Expected behavior
Those URLs should not exist.

SDK Info:

• SDK Name & Version [MLKitTextRecognitionCommon via CocoaPods (~> 5.0.0)]

[SveBo]

I can verify the URL exists and our app also got rejected.

[MauricioDomenech]

I also have a rejection from Apple, until you don't remove that URL, Apple will not approve my app.

[CCB-cerivera]

@MauricioDomenech
@SveBo

You can write the following; in my case, I was approved after this. However, I recommend checking specifically which section of the SDK has it and adding that to the review comment:

Google uses a version of the public domain suffix list ([public_suffix_list.dat](https://publicsuffix.org/list/public_suffix_list.dat)) that includes the ir.md entry.

You can use this command to check specifically where the file containing the URL is located:

grep -r "nic.ir.md".

Then send this to Apple, remembering to include in the message which SDK file the URL is located in.

Dear Apple Review Team,

We are writing to you regarding the rejection of our application, which indicates that it contains references to territories subject to US embargo.
After conducting a thorough technical analysis, we have identified that these references come from a third-party library used in the project, which is part of the official Google SDK.

We would like to emphasize that:
• The references detected (such as nic.ir.md) correspond to static examples included in configuration files or internal SDK documentation.
• No network calls are made or communication is established with domains, entities, or servers related to these territories.

Therefore, the application does not contain any active or intentional functionality that violates Apple or US government embargo policies.

[CCB-cerivera]

Now if it is not the Google SDK, then check that your SDK or own implementation uses the public suffix list public_suffix_list.dat