What should I select for "Export Compliance"?

I am ready to submit my app for beta testing. I uploaded the build to App Store Connect, however, I'm unsure about providing a Missing Complance. I use Firebase for Phone Authentication, Crashlytics, and Cloud Firestore in my app. Does that use HTTPS or SSL encryption that I should "Yes" to that question. Or should I say "No" to that question?


Thank you.

Replies

If you access any https website then you are using https.

You can always assume you are using encryption somewhere and say 'yes' to that question and then say you are exempt from the regulations in the next question.

Nothing about your app falls under the auspices of US export restrictions. Read what Apple has to say about your options, and resist being (further) confused by casual/anecdotes you may encounter in the process.


Quoting the docs (emphasis mine):


Complying with Encryption Export Regulations


-=-

Every time you submit a new version of your app, App Store Connect asks you questions to guide you through a compliance review. You can bypass these questions and streamline the submission process by providing the required information in your app’s Information Property List file.


Declare Your App’s Use of Encryption

Add the ITSAppUsesNonExemptEncryption key to your app’s Info.plist file with a Boolean value that indicates whether your app uses encryption. Set the value to NO if your app—including any third-party libraries it links against—doesn’t use encryption, or if it only uses forms of encryption that are exempt from export compliance documentation requirements. Otherwise, set it to YES.


Typically, the use of encryption that’s built into the operating system—for example, when your app makes HTTPS connections using

URLSession
—is exempt from export documentation upload requirements, whereas the use of proprietary encryption is not. To determine whether your use of encryption is considered exempt, see Determine your export compliance requirements.

-=-


In your example, my opinion is that you should answer 'no', but as outlined above, declaring so via Info.plist allows you to bypass that question all together. Don't complicate the process otherwise.


Assuming this email is still active, if you have questions related to export compliance and your app's use of encryption, please contact the App Store Export Compliance team at appstore.ec@apple.com.

Post not yet marked as solved Up vote reply of KMT Down vote reply of KMT

A strict read of the regulations may actually require one or more 'reports'. Apple's https://help.apple.com/app-store-connect/#/devc3f64248f references a "Self Classification Report" for apps that "use ATS or make a call to HTTPS", among other things.


My issue with that 'no' in the info.plist rather than the 'yes-yes' answers that I suggest above is because of the appearance of being forthright in that first 'yes' (and then failing to send a meaningless report) versus the possible misinterpretation of having said 'no' in the info.plist because of a claim that the app 'doesn't use encryption'.

Post not yet marked as solved Up vote reply of PBK Down vote reply of PBK
Hello,

I am working on education app and want to play video which are hosted on AWS

Please advise if I should "Yes" to that question. Or should I say "No" to that question?

thanks

I don't even want to publish my app to the US, why I have to input any of these for sake?

  • This is a interesting questiong. I would like to know the answer, as well.

Add a Comment

As Apple states here:
https://help.apple.com/app-store-connect/#/dev88f5c7bf9

Export compliance overview

Apps uploaded to App Store Connect are uploaded to an Apple server in the United States. When you submit your app with the intention of distributing your app on the App Store or to external testers through TestFlight outside of the U.S. or Canada, it is considered a U.S. export and is subject to U.S. export laws (regardless of where your legal entity is based).