When do you need to report your app’s use of encryption?

Does your app use encryption? That’s the first thing you read after clicking “Submit for Review” in App Store Connect. This question is fairly easy to answer, but after answering it you’re notified that you need to submit a year-end self-classification report.

What is a self-classification report? And why do I need to do it? Apple does not make it clear what you need to do, and there are many conflicting answers on Stack Overflow. The reason is that this requirement has changed over time.

Determining whether you need to submit a report

If your app makes calls to HTTPS or only uses encryption that’s part of iOS to authenticate, verify, or encrypt data you are using exempt encryption. It’s called exempt encryption because it’s exempt from needing a CCATS code before it’s allowed to be published to the App Store.

Starting on March 29th, 2021 apps using only exempt encryption no longer require you to submit an annual self-classification report. Please consult a lawyer if your app uses non-exempt encryption because the remainder of this article assumes your app only uses exempt encryption.

App developers used to be required to submit an annual self-classification report for any of their apps that used any type of encryption. As of May 24, 2024 Mac and iOS apps that are available to the mass market (the general public for free or for a published price) fall under Export Administration Regulation Section 740.17(b)(1) which does not require submission of an annual self-classification report.

This article summarizes information published by Apple and the BIS. If you like articles like this please subscribe and share with your friends on LinkedIn or Twitter.

7 comments

  1. I am a EU citizen, living in EU, my corporation is registred in EU, my contract with Apple is (as far as I remember) with a EU based company (Apple in Ireland). As far as I can see I am not exporting anything out of the US.

    Do you know if I still need to submit such a report?

    1. Hi Nicolai,
      The app is stored on Apple’s servers in the United States, so you are exporting the app whenever anyone outside of the United States and Canada downloads your app. For this reason you are required to submit a report.

      “When you submit your app to TestFlight or the App Store, you upload your app to a server in the United States. If you distribute your app outside the U.S. or Canada, your app is subject to U.S. export laws, regardless of where your legal entity is based.”

      Source: https://developer.apple.com/documentation/security/complying_with_encryption_export_regulations

      Thanks for the question,
      David

  2. Thanks for the post. I would like to clarify one thing. Does someone need to send a self-classification report, if they are not US citizen and don’t live in the US?

  3. Hi, what would the Export Control Classification Number be for an app that uses in-app purchase using StoreKit? Thank you in advance

Comments are closed.