When do you need to report your app’s use of encryption?

Does your app use encryption? That’s the first thing you read after clicking “Submit for Review” in App Store Connect. This question is fairly easy to answer, but after answering it you’re notified that you need to submit a year-end self-classification report.

What is a self-classification report? And why do I need to do it? Apple does not make it clear what you need to do, and there are many conflicting answers on Stack Overflow. The reason is that this requirement has changed over time.

Determining whether you need to submit a report

If your app makes calls to HTTPS or only uses encryption that’s part of iOS to authenticate, verify, or encrypt data you are using exempt encryption. It’s called exempt encryption because it’s exempt from needing a CCATS code before it’s allowed to be published to the App Store.

In the past developers with apps using exempt encryption were still required to submit an annual self-classification report, but starting March 29th, 2021 apps using only exempt encryption no longer require you to submit an annual self-classification report.

As of the latest update to this article in 2024, Mac and iOS apps that are available to the mass market (the general public for free or for a published price) fall under Export Administration Regulation Section 740.17(b)(1) which does not require submission of an annual self-classification report.

If you would like to read more take look at this Apple help article and the BIS page on encryption. If this article helped you out, please subscribe to the email list and share with your friends on LinkedIn or Twitter.

7 comments

  1. I am a EU citizen, living in EU, my corporation is registred in EU, my contract with Apple is (as far as I remember) with a EU based company (Apple in Ireland). As far as I can see I am not exporting anything out of the US.

    Do you know if I still need to submit such a report?

    1. Hi Nicolai,
      The app is stored on Apple’s servers in the United States, so you are exporting the app whenever anyone outside of the United States and Canada downloads your app. For this reason you are required to submit a report.

      “When you submit your app to TestFlight or the App Store, you upload your app to a server in the United States. If you distribute your app outside the U.S. or Canada, your app is subject to U.S. export laws, regardless of where your legal entity is based.”

      Source: https://developer.apple.com/documentation/security/complying_with_encryption_export_regulations

      Thanks for the question,
      David

  2. Thanks for the post. I would like to clarify one thing. Does someone need to send a self-classification report, if they are not US citizen and don’t live in the US?

  3. Hi, what would the Export Control Classification Number be for an app that uses in-app purchase using StoreKit? Thank you in advance

Comments are closed.