22

When I tried to activate a build of my app for Test Flight usage, I got asked this question:

Is your app designed to use cryptography or does it contain or incorporate cryptography? (Select Yes even if your app is only utilizing the encryption available in iOS or OS X.)

In my app, I'm sending API calls over HTTPS to my remote server so users can make friends, chat, authenticate, etc.

Does this count? I'm kind of confused why they're asking this now AND only for Test Flight.

Rafi
  • 1,902
  • 3
  • 24
  • 46

4 Answers4

17

You can select NO as using HTTPS is now exempt from the Exporter Registration and Reporting (ERN) as of late September, 2016: https://stackoverflow.com/a/40919650/4976373

Community
  • 1
  • 1
Jonathan Cabrera
  • 1,656
  • 1
  • 19
  • 20
  • 15
    If I select No, it states the following: "If you are making use of ATS or making a call to HTTPS please note that you are required to submit a year-end self classification report to the US government.". What is this? The "Learn more" link doesn't really help me. – mvandillen Jun 08 '17 at 11:10
  • 4
    Is it still exempt? If I try to upload something now it specifically says `If you are making use of ATS or making a call to HTTPS please note that you are required to....`. It doesn't sound like HTTPS is exempt.. – Sti Jul 06 '17 at 14:29
  • I using a encryption for some of my data but I am not releasing the app for U.S should I still give self classification for US government – Santhosh S Kashyap Apr 05 '18 at 08:33
  • 1
    @Dmitry, as mvandillen points out, if you choose *No*, it gives you an extra instruction for HTTPS, so *No* seems to be the correct option if you're using HTTPS. – Jonathan Cabrera Oct 08 '18 at 20:58
8

If you are using just HTTPS then there is no need to select this option. You can set it as NO. You have to set it to Yes only if you use custom cryptography in your code to encrypt or decrypt data. But if its just https calls then you can set this to No.

Pradeep K
  • 3,671
  • 1
  • 11
  • 15
7
  1. You must answer YES that the app uses encryption.
  2. Using Test Flight you many have testers in foreign countries and thus possibly exporting cryptography.

You state that "users can make friends, chat" and this is what the requirement its about.

This is generally stupid but required by the U.S. government.

You will need to figure that out for yourself, consult BIS website or get a knowledgable lawyer/cryptographic domain expert.
Also see BIS encryption flowchart 1 and flowchart 2

zaph
  • 111,848
  • 21
  • 189
  • 228
  • Does that mean on the next question "Does your app qualify for any of the exemptions" that they can answer Yes because of "(c) Limited to authentication, digital signature, or the decryption of data or files" ? – David Wong Mar 23 '16 at 04:04
  • You are encrypting and SSL is encryption not authentication or digital signature the answer. – zaph Mar 23 '16 at 04:59
  • @zaph my application uses AES encryption, & HTTPS web-services, am i to select "YES" for export compliance ? – Jack Jul 27 '18 at 05:27
3

Today (June 2019), IMHO, the correct answer to Apple's "Is your app designed to use cryptography or does it contain or incorporate cryptography? (Select Yes even if your app is only utilizing the encryption available within Apple’s operating system.)" question is Yes.

After you selected the Yes option, an additional question will be displayed

Does your app meet any of the following:

(a) Qualifies for one or more exemptions provided under Category 5 Part 2

(b) Use of encryption is limited to encryption within Apple’s operating system

(c) Only makes calls over HTTPS

(d) App is made available only in the U.S. and/or Canada

If your app, in fact, only uses HTTPS (and no other form of encryption), select Yes again for the second question.

Vince Varga
  • 6,101
  • 6
  • 43
  • 60
  • 3
    If you select "Yes" again, you're presented with the same > "If you are making use of ATS or making a call to HTTPS, you are required to submit a year-end self classification report to the US government. Learn More" – Dani Jun 28 '19 at 11:57