We usually see this question from Apple while preparing our app for Appstore submission. From my own experience and the talks I had with my friends in iOS dev community, I am pretty sure that most of us were confused with this question and even more confused with the description Apple provided below this question.
Developers including me used to google a bit at the time of Appstore submission regarding this and we all have gone with 'YES' and often 'NO' here. But what exactly are Apple intending with these questions? and how should we select the appropriate option?. Let's dig in.
Should I select 'Yes' if I am using https to connect to the server?
The answer to this question is simply YES. We should select yes option even if we only used 'https' to connect to the server and did not use any other standard encryptions in our app, because Apple consider https as a standard encryption itself.
When should I select 'No' option?
If your app does not even use https for server communication(which is very rare these days) you can select 'NO' here. But using 'http' protocol for server communication implies you to set 'Allow Arbitrary Loads' to 'True' under 'App Transport Security Settings' in info.plist.
If you select 'Yes' option to this question, The next question will be
Does your app qualify for any of the exemptions provided in Category 5,
Part 2 of the U.S. Export Administration Regulations?
Below this question, We have the following description.
_Make sure that your app meets the criteria of the exemption listed below.
You are responsible for the proper classification of your product.
Incorrectly classifying your app may lead to you being in violation of
U.S. export laws and could make you subject to penalties,
including your app being removed from the App Store.
You can select Yes for this question if the encryption of your app is:
(a) Specially designed for medical end-use
(b) Limited to intellectual property and copyright protection
(c) Limited to authentication, digital signature, or the decryption of data or files
(d) Specially designed and limited for banking use or “money transactions”; or
(e) Limited to “fixed” data compression or coding techniques
You can also select Yes if your app meets the descriptions provided in Note 4 for Category 5, Part 2 of the U.S. Export Administration Regulations. _
If my app uses Apple Keychain, Will it fall under any of these exceptions?
Yes. It will fall under category _(c) Limited to authentication, digital signature, or the decryption of data or files _
If my app uses third party encryption libraries, Will it fall under any of these exceptions?
Most of the third party encryption libraries available for iOS uses standard encryption and decryption algorithms that are recognised world wide. Apple has added these standard encryption methods under exception in category c.Thus if you are using these common encryption libraries in iOS, You can answer 'YES' to this question.
In which case my app does not fall under any of these exceptions categories?
If you use some custom encryption algorithm(usually created by the developers of the application itself) in your app, you should select 'NO' here.
Latest comments (4)
Thanks so much for sharing. Well explained!
Any advice on how to submit the self-classification report? Is this usable annual-self-classification-report.... ?
Thanks for this. For evidence that HTTPS counts as encryption, see Apple's article on Export compliance overview.
Thanks for sharing this
Really helpful!