When do you need to report your app’s use of encryption?

Does your app use encryption? That’s the first thing you read after clicking “Submit for Review” in App Store Connect. This question is fairly easy to answer, but after answering it you’re notified that you need to submit a year-end self-classification report.

What is a self-classification report? And why do I need to do it? Apple does not make it clear what you need to do, and there are many conflicting answers on Stack Overflow. In 99% of cases you probably won’t get in trouble for not submitting a report, but App Store Connect did not lie to you. You are required to submit a self-classification report.

The good news is that for most apps you’re only required to submit the report once.

Determining whether you need to submit a report

If your app makes calls to HTTPS or only uses encryption that’s part of iOS to authenticate, verify, or encrypt data you are using exempt encryption. It’s called exempt encryption because it’s exempt from needing a CCATS code before it’s allowed to be published to the App Store.

Exempt does not mean that it doesn’t need to be included in your self-classification report. Please consult a lawyer if your app uses non-exempt encryption because the remainder of this article assumes your app only uses exempt encryption.

You don’t need to submit a report if your app is only available on the U.S. and Canadian App Stores, because in that case you aren’t exporting your software. However, if your app is available on another country’s App Store you do need to submit a report.

Once you’ve submitted a single year-end self-classification report for that app, and if it’s free to download, the app will no longer be considered subject to Export Administration Regulations. This means you won’t need to submit another report for that app. App Store Connect does not know whether you have submitted a self-classification report for a given app so it will continue to remind you that the report is necessary. If it’s not free to download, you’ll need to send the report every year.

What if?

What should you do if you incorrectly answered the export compliance questions when you last submitted your app for review? Just answer honestly and correctly on your next update.

What should you do if you didn’t file a year-end report for an already passed year? If it’s before February 1st submit your report now. If it’s after February 1st just wait until January. There are no instructions for late submission, and there is no need to report that you submitted late.

Submitting your year-end report

The year-end self-classification report must be submitted between January 1st and February 1st. If it’s after February 1st, you’ll need to wait until next year.

Do you want a reminder on January 1st? Then enter your email address in the form at the bottom of this page.

If it’s between January 1st and February 1st you will need to submit a report for any apps you’ve published that use encryption and that haven’t been reported yet.

  1. Start your report by visiting this Open Source Self-Classification Report Generator. All data processing is done in the browser and it does not collect the information you enter. I looked at the network traffic and confirmed this myself.
  2. Under Submitter, fill in your Name, Telephone Number, E-Mail Address, and Mailing Address. Select No for Non-U.S. Components and enter N/A for Non-U.S. Manufacturing locations.
  3. Under Product, fill out all fields for each app you are submitting.
    • Enter N/A for Model Number and Manufacturer.
    • Select 5D992 for Export Control Classification Number.
    • Select MMKT for Authorization Type.
    • Select Mobility and mobile applications n.e.s. for Item Type.
    • Click Add Product.
  4. Click Download Report.
  5. Open the downloaded sheet and confirm you have the correct information in the file.
  6. Email the downloaded file as an attachment to crypt-supp8@bis.doc.gov and enc@nsa.gov. The subject of the email should be “self-classification report”, and the body must specify the time frame that your report spans and identify points of contact to whom questions or other inquiries pertaining to the report should be directed.

The column named ECCN stands for Export Control Classification Number. The classification number 5D992 is for information security software that’s available to the mass market (the general public for free or for a published price).

The item type, mobility and mobile applications n.e.s., is a mobile application that doesn’t fit under any of the other item type descriptors listed here. The abbreviation n.e.s. stands for not elsewhere specified.

Congratulations you’ve completed your obligation to self-report your app’s use of encryption as required by Export Administration Regulations! If you like articles like this please subscribe and share with your friends on LinkedIn or Twitter.

Legal Disclaimer

The contents of this article is accurate and true to the best of my knowledge, but I am not a lawyer. This article is for informational purposes only and summarizes information published by Apple and the BIS.

7 comments

  1. I am a EU citizen, living in EU, my corporation is registred in EU, my contract with Apple is (as far as I remember) with a EU based company (Apple in Ireland). As far as I can see I am not exporting anything out of the US.

    Do you know if I still need to submit such a report?

    1. Hi Nicolai,
      The app is stored on Apple’s servers in the United States, so you are exporting the app whenever anyone outside of the United States and Canada downloads your app. For this reason you are required to submit a report.

      “When you submit your app to TestFlight or the App Store, you upload your app to a server in the United States. If you distribute your app outside the U.S. or Canada, your app is subject to U.S. export laws, regardless of where your legal entity is based.”

      Source: https://developer.apple.com/documentation/security/complying_with_encryption_export_regulations

      Thanks for the question,
      David

  2. Thanks for the post. I would like to clarify one thing. Does someone need to send a self-classification report, if they are not US citizen and don’t live in the US?

  3. Hi, what would the Export Control Classification Number be for an app that uses in-app purchase using StoreKit? Thank you in advance

Comments are closed.