You have three options here:
Move to a different asset download mechanism (like Apple’s own on-demand resources)
Change your server to support HTTPS
Change your app to declare an ATS exception for the specific domain from which you download your assets, and then deal with the App Review fallout
Of these, I know which one I’d rather do (-:
IMPORTANT Keep in mind that, if you download assets via HTTP, someone can trivially spoof the server to substitute their own assets. That might expose your app to security vulnerabilities. So, if you skip the security given to you by HTTPS, you have to add your own security, checking the validity of the assets via some other means.
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"