Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

App uses https - what is the correct value of ITSAppUsesNonExemptEncryption

The ONLY encryption my App uses is calls over HTTPS. Currently (7 June 2017) iTunes Connect requires an Export Compliance according to this information in iTunes Connect.

enter image description here

I've entered the iTunesConnect -> My Apps -> Features -> Encryption page, clicked the plus symbol besides "iOS Documentation" and in the Export Compliance form answered YES.

enter image description here

The following two screen shots show more details of the export compliance box as I scroll down.

enter image description hereenter image description here

The last 2 screen shots suggest using HTTPS is an EXEMPT use of encryption and I should therefore in info.plist set ITSAppUsesNonExemptEncryption=false. But this is not clear, and is contradicted in my 1st screen shot that says if you are making a call to HTTPS ... required to submit a year-end classification report to the US government.

So my questions:

  1. is it correct to set ITSAppUsesNonExemptEncryption=false if the only encryption I use is via HTTPS calls?

  2. if I must set ITSAppUsesNonExemptEncryption=true, where do I go to submit a report to the US government and how does this report get passed to Apple? I cannot find any clear information on the process. I don't want to screw this up as the consequences can be major as threatened in the last screen shot.

  3. regardless of how I set ITSAppUsesNonExemptEncryption, according to my 1st screen shot if I use HTTPS I must submit a year-end self classification to the US government. Is that true, and what is the process? (clicking the "learn more" link doesn't help)

like image 782
pbm Avatar asked Jun 07 '17 01:06

pbm


People also ask

What is ITSAppUsesNonExemptEncryption?

A Boolean value indicating whether the app uses encryption.

Is HTTPS exempt from export compliance?

Typically, the use of encryption that's built into the operating system—for example, when your app makes HTTPS connections using URLSession —is exempt from export documentation upload requirements, whereas the use of proprietary encryption is not.

Does HTTPS count as encryption?

SSL (HTTPS/TLS) is still encryption and unless you are using it just for authentication, then you should get the proper approval.

Does your app use encryption Apple HTTPS?

App Uses Non-Exempt Encryption : No If you are making use of ATS or making a call to HTTPS, you are required to submit a year-end self classification report to the US government. Export laws require that products containing encryption must be properly authorized for export.


1 Answers

I was searching the web for this for some hours. Actually it is pretty easy and you can verify this in itunes connect:

1. All you have to do

If your app uses only HTTPS or uses encryption only for authentication, tokens, etc., there is nothing you have to do, just include

<key>ITSAppUsesNonExemptEncryption</key><false/> 

in your Info.plist and you are done.

2. Verification

You can verify this in itunes connect.

  • select your app
  • chose features
  • chose encryption
  • click "+"
  • follow the dialog
  • for https or authentication the answer is yes and yes

3. Year-end self classification report

As is written in the dialog in 2., you still need to submit a year-end self classification report:

If you are making use of ATS or making a call to HTTPS please note that you are required to submit a year-end self classification report to the US government. Learn more

You can check How do I submit a Self Classification Report for Encryption Items and this SO question https://stackoverflow.com/a/48462458/276648 .


In any case you should of course read yourself carefully through the dialog.

A very helpful article can be found here:

https://www.cocoanetics.com/2017/02/itunes-connect-encryption-info/

like image 195
Simon C. Avatar answered Sep 29 '22 17:09

Simon C.