When do you need to report your app’s use of encryption?

Does your app use encryption? That’s the first thing you read after clicking “Submit for Review” in App Store Connect. This question is fairly easy to answer, but after answering it you’re notified that you need to submit a year-end self-classification report.

What is a self-classification report? And why do I need to do it? Apple does not make it clear what you need to do, and there are many conflicting answers on Stack Overflow. In 99% of cases you probably won’t get in trouble for not submitting a report, but App Store Connect did not lie to you. You are required to submit a self-classification report.

The good news is that for most apps you’re only required to submit the report once.

Determining whether you need to submit a report

If your app makes calls to HTTPS or only uses encryption that’s part of iOS to authenticate, verify, or encrypt data you are using exempt encryption. It’s called exempt encryption because it’s exempt from needing a CCATS code before it’s allowed to be published to the App Store.

Exempt does not mean that it doesn’t need to be included in your self-classification report. Please consult a lawyer if your app uses non-exempt encryption because the remainder of this article assumes your app only uses exempt encryption.

You don’t need to submit a report if your app is only available on the U.S. and Canadian App Stores, because in that case you aren’t exporting your software. However, if your app is available on other country’s App Store you do need to submit a report.

Once your app is publicly available on the App Store, and once you’ve submitted a single year-end self-classification report for that app, the app will no longer be considered subject to Export Administration Regulations. This means you won’t need to submit another report for that app. App Store Connect does not know whether you have submitted a self-classification report for a given app so it will continue to remind you that the report is necessary.

What if?

What should you do if you incorrectly answered the export compliance questions when you last submitted your app for review? Just answer honestly and correctly on your next update.

What should you do if you didn’t file a year-end report for an already passed year? If it’s before February 1st submit your report now. If it’s after February 1st just wait until January. There are no instructions for late submission, and there is no need to report that you submitted late.

Submitting your year-end report

The year-end self-classification report must be submitted between January 1st and February 1st. If it’s after February 1st, you’ll need to wait until next year.

Do you want a reminder on January 1st? Then enter your email address in the form at the bottom of this page.

If it’s between January 1st and February 1st you will need to submit a report for any apps you’ve published that use encryption and haven’t been reported yet.

  1. Start your report by making a copy of this spreadsheet. From the top menu select File > Make a copy.
  2. For your first app, fill in the correct values for the cells currently containing: (your app’s name), (your name), (your phone number) (your email address) (your mailing address).
  3. If you have additional apps you haven’t reported, duplicate this row for each  app. For each row only change the Product Name. Each row must have identical values for all other columns.
  4. From the top menu select File > Download > Comma-separated values (.cvs, current sheet).
  5. Open the downloaded sheet and confirm you have the correct information in the file.
  6. Email the downloaded file as an attachment to crypt-supp8@bis.doc.gov and enc@nsa.gov. The subject of the email should be “self-classification report”, and the body must specify the time frame that your report spans and identify points of contact to whom questions or other inquiries pertaining to the report should be directed.

The column named ECCN stands for Export Control Classification Number. The classification number 5D992 is for information security software that’s available to the mass market (the general public for free or for a published price).

The item type, mobility and mobile applications n.e.s., is a mobile application that doesn’t fit under any of the other item type descriptors listed here. The abbreviation n.e.s. stands for not elsewhere specified.

Congratulations those apps are now no longer considered subject to Export Administration Regulations! Comment below or send me an email if you want any information related to export compliance for your apps.

Legal Disclaimer

The contents of this article is accurate and true to the best of my knowledge, but I am not a lawyer. This article is for informational purposes only and summarizes information published by Apple and the BIS.

5 comments

  1. I am a EU citizen, living in EU, my corporation is registred in EU, my contract with Apple is (as far as I remember) with a EU based company (Apple in Ireland). As far as I can see I am not exporting anything out of the US.

    Do you know if I still need to submit such a report?

    1. Hi Nicolai,
      The app is stored on Apple’s servers in the United States, so you are exporting the app whenever anyone outside of the United States and Canada downloads your app. For this reason you are required to submit a report.

      “When you submit your app to TestFlight or the App Store, you upload your app to a server in the United States. If you distribute your app outside the U.S. or Canada, your app is subject to U.S. export laws, regardless of where your legal entity is based.”

      Source: https://developer.apple.com/documentation/security/complying_with_encryption_export_regulations

      Thanks for the question,
      David

  2. Thanks for the post. I would like to clarify one thing. Does someone need to send a self-classification report, if they are not US citizen and don’t live in the US?

Leave a Reply

Your email address will not be published. Required fields are marked *