Have you tried it yourself on a real device?
Do you have a content security policy meta tag in your index.html? if you have it, make sure you have gap: in the default-src part
I recently experienced the same issue. This is because Apple is now enforcing ipv6 compliance. Even though you didn't hard code an ip address, the URL used for ajax callbacks is being resolved into ip address (which must be an ipv4 ip address if you're getting rejected by Apple). Note that your Android version works fine because Android isn't doing anything about ipv6 compliance yet.
To resolve this issue, you'll need to contact your web server host and request a ipv6 ip address. Head over to http://ready.chair6.net and paste in the URL you are using for ajax callbacks. It'll confirm whether or not you're ipv6 compliant which is a good way to double check you've set up your new ipv6 address correctly before attempting to resubmit your app.
Hope that helps,
At me too such problem. Was this issue resolved?
I am also running into this issue, and I have no real external links.
I am not sure what the issue is. I thought IPv6 compliance enforced a year ago?