Does your app use encryption? That’s the first thing you read after clicking “Submit for Review” in App Store Connect. This question is fairly easy to answer, but after answering it you’re notified that you need to submit a year-end self-classification report.
What is a self-classification report? And why do I need to do it? Apple does not make it clear what you need to do, and there are many conflicting answers on Stack Overflow. The reason is that this requirement has changed over time.
Determining whether you need to submit a report
If your app makes calls to HTTPS or only uses encryption that’s part of iOS to authenticate, verify, or encrypt data you are using exempt encryption. It’s called exempt encryption because it’s exempt from needing a CCATS code before it’s allowed to be published to the App Store.
Starting on March 29th, 2021 apps using only exempt encryption no longer require you to submit an annual self-classification report. Please consult a lawyer if your app uses non-exempt encryption because the remainder of this article assumes your app only uses exempt encryption.
Mac and iOS apps that are available to the mass market (the general public for free or for a published price) fall under Export Administration Regulation Section 740.17(b)(1) which currently does not require submission of an annual self-classification report.
Updated January 24, 2023