How to determine if my app contains encryption?

Question

After deploying build for my iOS app on TestFlight, Apple was asking me to fill "Export Compliance Information" with the following question:

Does your app use encryption?  Select Yes even if your app only uses the  standard encryption within Apple’s operating system. 

I've searched little bit for an answer here on StackOverflow but my case is little bit specific and haven't found clear answer for my case yet.

1. I am using https to connect to the server.
2. I am using Apple Keychain to store user credentials.
3. I am using encryption on backend to encrypt/decrypt secret file and send decrypted content in response when my app is making an https request (so for this case my app does not use encryption directly).

I assume the answer to the first question is Yes. Definitely because Apple Keychain itself uses encryption.

If I select yes I get to the next question:

Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?   Make sure that your app meets the criteria of the exemption listed below.  You are responsible for the proper classification of your product.  Incorrectly classifying your app may lead to you being in violation of  U.S. export laws and could make you subject to penalties,  including your app being removed from the App Store.  You can select Yes for this question if the encryption of your app is: (a) Specially designed for medical end-use (b) Limited to intellectual property and copyright protection (c) Limited to authentication, digital signature, or the decryption of data or files (d) Specially designed and limited for banking use or “money transactions”; or (e) Limited to “fixed” data compression or coding techniques  You can also select Yes if your app meets the descriptions provided in Note 4 for Category 5, Part 2 of the U.S. Export Administration Regulations. 

I assume I my app is c))

(c) Limited to authentication, digital signature, or the decryption of data or files 

Therefore the answer to this would be also yes.

However I am not sure about this and would like to know your opinion, ideally with a short explanation.

Thanks.

PS: I am including useful links which helped me on how to submit a Self Classification Report:

https://kitefaster.com/2017/08/10/encryption-export-compliance-ios-apps https://simonfairbairn.com/bis-year-end-self-classification-report

Answer 1

The rules regarding a TestFlight app is slightly different from a "real" AppStore release, but the procedure is pretty similar.

As you said, the first question asks “Does your app use encryption?" Here you should select "Yes" even if your app only uses the standard encryption in iOS and macOS / XCode.

Basically: Use of encryption in this case includes, but is not limited to:

- Making calls over secure channels (i.e. HTTPS, SSL, and so on). - Using standard encryption algorithms. - Using crypto functionality from other sources such as iOS or macOS. - Using proprietary or non-standard encryption algorithms. 

The U.S. Government defines "non-standard cryptography" as any implementation of "cryptography" involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body.

Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?

As you said, option C is most often adequate and the correct choice if you don't use any proprietary or non-standard algorithms.

By the way, here's a link to that "Note 4 for Category 5" that they mention.

When you submit a final version of your app to the actual App Store, you will be required to answer these questions again in App Store Connect.

Determine your Export Compliance Requirements, blah, blah...

Basically, you can say yes in the following scenarios:

Select "Yes" for this question if the encryption of your app is:      a. Specially designed for medical end-use     b. Limited to intellectual property and copyright protection     c. Limited to authentication, digital signature, or the decryption of data or files     d. Specially designed and limited for banking use or “money transactions”; or     e. Limited to “fixed” data compression or coding techniques  

It's usually no problems from here on, as long as you pass the internal testing etc. Just follow the prompts when exporting / distributing to App Store.

Remember to update your Xcode settings for your build.

By the way: Consult an attorney for legal guidance if in doubt! This is only my understanding of the process.