Apps on Apple’s App Store are technically originating in the US. Therefore they are affected by US rules governing the export of encryption technology. For a long while, I remember, Apple asked developers during app submission if the app was using encryption.
Most people just chose no for this question, if their app uses encryption, even when they were simply accessing web services or pages via HTTPS. So did I and it was confirmed to me by an Apple employee at one WWDC who told me that iOS encryption is exempted from the export restriction rule. So we kept saying no.
The reason for this worry was that saying yes would mean you would have to get special permission from the US government and would have the hassle of having to submit reports about your encryption every year. All these complications we would want to avoid, especially when building apps for clients whom you could hardly hope to explain why they would be required to jump through such hoops.
Fortunately since then it has been clarified that if the app “Only makes call(s) over HTTPS” it gets an exemption. There are more elaborate explanations on why this exemption exists and I am not a lawyer… but I think the main reasons for this exemption is that you cannot encrypt user files with HTTPS on disk, you cannot change how HTTPS works because it is part of the OS and the source code for SSL is publicly available.
So, for this specific use case, accessing a RESTful API via HTTPS, the correct answers are:
Question 1: Is your app designed to use cryptography or does it contain or incorporate cryptography?
– Making calls over secure channels (i.e. HTTPS, SSL, and so on)
– Using standard encryption algorithms
– Using crypto functionality from other sources such as iOS or macOS
– Using proprietary or non-standard encryption algorithms
We answer YES, because we are using the SSL standard encryption algorithm from iOS or macOS to make calls over secure channels. 3 out of 4 when only one is enough for an affirmative answer.
OMG OMG, we are using encryption…
Question 2: Does your app meet any of the following:
– Qualifies for one or more exemptions provided under category 5 part 2
– Use of encryption is limited to encryption within the operating system (iOS or macOS)
– Only makes call(s) over HTTPS
– App is made available only in the U.S. and/or Canada
We answer YES, YES, YES, phew! Again, only one match with one of the four examples would have been sufficient. But we are exempted.
There are two more questions but you will only ever see these if you answered NO to the latter question.
Then Apple acquired TestFlight
Since beta testing is also a form of international distribution – especially if you are sharing your app with international users by e-mail – Apple wants to know about the encryption status of your app beforehand.
The initial process was to specify the Export Compliance Information also by answering the above questions. But having to do so for every build or new version gets old really fast. Which is why Apple added the functionality for us to add this information already in Xcode.
The developer knows best if the app contains an exempt encryption and the ITSAppUsesNonExemptEncryption key in Info.plist lets you codify the answer once and for all.
But what is the correct bool value. True or False? The double negative in here might confuse you… I know some people who were.
Read the key again: App uses non-exempt encryption… does it use an encryption that is not exempt from the export restriction?
The correct answers is FALSE. HTTPS is exempt. Since we don’t use anything else we DON’T use a NON-exempt encryption.
Which is why I am now adding this to all my app’s Info.plist:
Xcode even has a nice way to display this:
With this setting in there the TestFlight builds become available for testing as soon as processing is done. No longer are my clients bothered by having to think of the right answers to these questions about encryption.
Many an app submission has caused uneasy feelings in the early days of the App Store because people didn’t know how to properly deal with the export restrictions. It was very welcome that Apple clarified this common use case of HTTPS as being exempt from having to register and report to the US government.
It is great that Apple added this functionality to specify the encryption technologies status information in Xcode. Now we developers can mark our app as being harmless and no longer need to bother our clients with such questions.
Also published on Medium.