I am ready to submit my app for beta testing. I uploaded the build to App Store Connect, however, I'm unsure about providing a Missing Complance. I use Firebase for Phone Authentication, Crashlytics, and Cloud Firestore in my app. Does that use HTTPS or SSL encryption that I should "Yes" to that question. Or should I say "No" to that question?
Thank you.
If you access any https website then you are using https.
You can always assume you are using encryption somewhere and say 'yes' to that question and then say you are exempt from the regulations in the next question.
Nothing about your app falls under the auspices of US export restrictions. Read what Apple has to say about your options, and resist being (further) confused by casual/anecdotes you may encounter in the process.
Quoting the docs (emphasis mine):
Complying with Encryption Export Regulations
-=-
Every time you submit a new version of your app, App Store Connect asks you questions to guide you through a compliance review. You can bypass these questions and streamline the submission process by providing the required information in your app’s Information Property List file.
Declare Your App’s Use of Encryption
Add the ITSAppUsesNonExemptEncryption key to your app’s Info.plist file with a Boolean value that indicates whether your app uses encryption. Set the value to NO if your app—including any third-party libraries it links against—doesn’t use encryption, or if it only uses forms of encryption that are exempt from export compliance documentation requirements. Otherwise, set it to YES.
Typically, the use of encryption that’s built into the operating system—for example, when your app makes HTTPS connections using
URLSession-=-
In your example, my opinion is that you should answer 'no', but as outlined above, declaring so via Info.plist allows you to bypass that question all together. Don't complicate the process otherwise.
Assuming this email is still active, if you have questions related to export compliance and your app's use of encryption, please contact the App Store Export Compliance team at appstore.ec@apple.com.
A strict read of the regulations may actually require one or more 'reports'. Apple's https://help.apple.com/app-store-connect/#/devc3f64248f references a "Self Classification Report" for apps that "use ATS or make a call to HTTPS", among other things.
My issue with that 'no' in the info.plist rather than the 'yes-yes' answers that I suggest above is because of the appearance of being forthright in that first 'yes' (and then failing to send a meaningless report) versus the possible misinterpretation of having said 'no' in the info.plist because of a claim that the app 'doesn't use encryption'.
I don't even want to publish my app to the US, why I have to input any of these for sake?
As Apple states here:
https://help.apple.com/app-store-connect/#/dev88f5c7bf9
Export compliance overview
Apps uploaded to App Store Connect are uploaded to an Apple server in the United States. When you submit your app with the intention of distributing your app on the App Store or to external testers through TestFlight outside of the U.S. or Canada, it is considered a U.S. export and is subject to U.S. export laws (regardless of where your legal entity is based).