TIL: Apple Submission Guidelines regarding Encryption

When you submit an app for review to the gatekeepers of the coveted Apple App Store, you are asked a series of rather daunting and (arguably) convoluted questions with warnings that, if answered incorrectly, the repercussions will be severe — in some cases, death.

Just kidding.

In all seriousness, rejection from the App Store is the most likely consequence. Some people may see the former as preferable.

One of the questions is regarding the use of encryption in your app:

There is mixed information out there about whether using HTTPS, which means all communications between your browser and the website are encrypted, requires you to answer “Yes” to this question.

The information out there is mixed because the rules regarding this export compliance changed as of September 20th, 2016! (Technology moves faster than the speed of light, so always double check to make sure your source of information is up to date).

You no longer need to answer “Yes” if the only form of encryption in your app is the usage of HTTPS for network requests.

In fact, as of December 21, 2016, Apple required that all web requests use secure network connections over HTTPS. This is part of their initiative to improve user security and privacy via their requirements for App Transport Security (ATS), introduced in iOS 9 and OS X v10.11.

Thus, Apple already knows and checks to ensure that you are using HTTPS, so they would glean no extra information if this affected their Export Compliance question regarding encryption.

Apple is trying to determine if you are using further encryption in your app, and if so, why.

So, for the average non-encrypted app, you can answer “No” to the above question.

And! Better yet, regardless of your answer, you can automate this by setting a key-value pair in your info.plist. Add ITSAppUsesNonExemptEncryption as your key, and false to reflect a “No” to the above encryption question.

Thanks for reading, and happy encrypting!