What should I select for "Export Compliance"?

I am ready to submit my app for beta testing. I uploaded the build to App Store Connect, however, I'm unsure about providing a Missing Complance. I use Firebase for Phone Authentication, Crashlytics, and Cloud Firestore in my app. Does that use HTTPS or SSL encryption that I should "Yes" to that question. Or should I say "No" to that question?


Thank you.

10 Replies

Good find, good luck.

OK. They have an example report on BIS’s website and it looks pretty simple. Nothing too intimidating.

Report filing is annual, yes, so you have until 2.1.20 to get the one for 2019 year in.

> Just remember there are two filing deadlines per year, as I understand it - Feb. 1 & Aug. 1


I thought that you only had to file the report in January as it is "year-end." Is that right?

>What about the end of the year self-classification report to BIS?


Remember that opinions posited here such as "I suspect the government won't care or notice if you fail to submit the report", along with claims that "Many, many app developers are failing to submit those reports" are purely anecdotal, and while fine if that's how they want to operate w/their apps, suggesting in any way that others avoid regulation is simply reckless.


Good on you for respecting the process and asking how to deal with it, just pls. be careful whom you listen to along the way.

A strict read of the regulations may actually require one or more 'reports'. Apple's https://help.apple.com/app-store-connect/#/devc3f64248f references a "Self Classification Report" for apps that "use ATS or make a call to HTTPS", among other things.


My issue with that 'no' in the info.plist rather than the 'yes-yes' answers that I suggest above is because of the appearance of being forthright in that first 'yes' (and then failing to send a meaningless report) versus the possible misinterpretation of having said 'no' in the info.plist because of a claim that the app 'doesn't use encryption'.

Did you decide your answer?


If you decided to say no, then no, not necessary. If yes, see the discussion and BIS link here: https://help.apple.com/app-store-connect/#/dev88f5c7bf9


Just remember there are two filing deadlines per year, as I understand it - Feb. 1 & Aug. 1


Good luck.

Thank you for your response. I apologize for not responding for a while. What about the end of the year self-classification report to BIS? I know Apple is not responsible for that request but is it necessary for my circumstances?

Nothing about your app falls under the auspices of US export restrictions. Read what Apple has to say about your options, and resist being (further) confused by casual/anecdotes you may encounter in the process.


Quoting the docs (emphasis mine):


Complying with Encryption Export Regulations


-=-

Every time you submit a new version of your app, App Store Connect asks you questions to guide you through a compliance review. You can bypass these questions and streamline the submission process by providing the required information in your app’s Information Property List file.


Declare Your App’s Use of Encryption

Add the ITSAppUsesNonExemptEncryption key to your app’s Info.plist file with a Boolean value that indicates whether your app uses encryption. Set the value to NO if your app—including any third-party libraries it links against—doesn’t use encryption, or if it only uses forms of encryption that are exempt from export compliance documentation requirements. Otherwise, set it to YES.


Typically, the use of encryption that’s built into the operating system—for example, when your app makes HTTPS connections using

URLSession
—is exempt from export documentation upload requirements, whereas the use of proprietary encryption is not. To determine whether your use of encryption is considered exempt, see Determine your export compliance requirements.

-=-


In your example, my opinion is that you should answer 'no', but as outlined above, declaring so via Info.plist allows you to bypass that question all together. Don't complicate the process otherwise.


Assuming this email is still active, if you have questions related to export compliance and your app's use of encryption, please contact the App Store Export Compliance team at appstore.ec@apple.com.

If you access any https website then you are using https.

You can always assume you are using encryption somewhere and say 'yes' to that question and then say you are exempt from the regulations in the next question.