The ONLY encryption my App uses is calls over HTTPS. Currently (7 June 2017) iTunes Connect requires an Export Compliance according to this information in iTunes Connect.

I've entered the iTunesConnect -> My Apps -> Features -> Encryption page, clicked the plus symbol besides "iOS Documentation" and in the Export Compliance form answered YES.

The following two screen shots show more details of the export compliance box as I scroll down.


The last 2 screen shots suggest using HTTPS is an EXEMPT use of encryption and I should therefore in info.plist set ITSAppUsesNonExemptEncryption=false. But this is not clear, and is contradicted in my 1st screen shot that says if you are making a call to HTTPS ... required to submit a year-end classification report to the US government.
So my questions:
is it correct to set ITSAppUsesNonExemptEncryption=false if the only encryption I use is via HTTPS calls?
if I must set ITSAppUsesNonExemptEncryption=true, where do I go to submit a report to the US government and how does this report get passed to Apple? I cannot find any clear information on the process. I don't want to screw this up as the consequences can be major as threatened in the last screen shot.
regardless of how I set ITSAppUsesNonExemptEncryption, according to my 1st screen shot if I use HTTPS I must submit a year-end self classification to the US government. Is that true, and what is the process? (clicking the "learn more" link doesn't help)
A Boolean value indicating whether the app uses encryption.
Typically, the use of encryption that's built into the operating system—for example, when your app makes HTTPS connections using URLSession —is exempt from export documentation upload requirements, whereas the use of proprietary encryption is not.
SSL (HTTPS/TLS) is still encryption and unless you are using it just for authentication, then you should get the proper approval.
App Uses Non-Exempt Encryption : No If you are making use of ATS or making a call to HTTPS, you are required to submit a year-end self classification report to the US government. Export laws require that products containing encryption must be properly authorized for export.
I was searching the web for this for some hours. Actually it is pretty easy and you can verify this in itunes connect:
1. All you have to do
If your app uses only HTTPS or uses encryption only for authentication, tokens, etc., there is nothing you have to do, just include
<key>ITSAppUsesNonExemptEncryption</key><false/> in your Info.plist and you are done.
2. Verification
You can verify this in itunes connect.
3. Year-end self classification report
As is written in the dialog in 2., you still need to submit a year-end self classification report:
If you are making use of ATS or making a call to HTTPS please note that you are required to submit a year-end self classification report to the US government. Learn more
You can check How do I submit a Self Classification Report for Encryption Items and this SO question https://stackoverflow.com/a/48462458/276648 .
In any case you should of course read yourself carefully through the dialog.
A very helpful article can be found here:
https://www.cocoanetics.com/2017/02/itunes-connect-encryption-info/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With