Long story short, Apple didn't allow us to push a new update to the App Store. It appears that what we did after the previous crackdown is not enough, and they want us to remove everything that can be potentially used for blocking tracking and ads outside of Safari.
IMPORTANT NOTE for those who are not too familiar with AdGuard Pro. I'd like to address a popular concern that I often see on the internet. AdGuard Pro it NOT a real VPN. It does NOT install any profile or certificate. Instead, it uses a public API (NEPacketTunnelProvider) to configure a local VPN tunnel and intercept the outgoing DNS requests. The code of AdGuard Pro is open and available on Github. Therefore, this Apple's policy has absolutely nothing to do with security or privacy.
Here is their exact answer:
Guideline 2.5.1 - Performance - Software Requirements
Your app uses a VPN profile or root certificate to block ads or other content in a third-party app, which is not allowed on the App Store.
The app by default does not do that. Moreover, it is advertised nowhere that it can. However, it's hard to argue, that it is possible to configure it to block anything you want including ads, tracking or whatever. There is a configurable blacklist where you can put any domain after all.
Here is the relevant excerpt from the guidelines:
2.5.1 Apps may only use public APIs and must run on the currently shipping OS. Learn more about public APIs. Keep your apps up-to-date and make sure you phase out any deprecated features, frameworks or technologies that will no longer be supported in future versions of an OS. Apps should use APIs and frameworks for their intended purposes and indicate that integration in their app description. For example, the HomeKit framework should provide home automation services; and HealthKit should be used for health and fitness purposes and integrate with the Health app.
Basically, this guideline makes it impossible to use the VPN API for any purpose different from establishing a real VPN connection. I can name A LOT of cool apps which can be affected by this change and can be taken down any time: Charles Proxy, DNSCloak, etc, etc. I hope they won't, though, and the whole point of this is to get rid of known ad blockers.
All the time we spent debugging the mysterious VPN API issues and improving the DNS filtering functionality, and now it's all for nothing. What's worse is whatever we do, this guideline can be used against us again to force us to remove any network-level functionality.
Here is what we will do now:
UPDATE (23.07.18): We are not alone. It seems that Apple decided to ban all apps that do content blocking outside of Safari. Malwarebytes is another example.