Disclaimer, I'm not a lawyer and this is intended for educational purposes only.
With that out of the way, this blog entry is intended to cover resources I found helpful in my process of figuring out how to file an annual self-classification report for iOS app submissions.
If you're wondering what this is about, I was right there with you too. During the process of submitting an iOS app to apple for beta testing, you'll be prompted with some challenging questions about export compliance reporting & encryption usage in your app.
The first time I encountered these prompts I experienced some angst over how to go about answering correctly. I'm going to share resources I found helpful in my process of learning more about these questions.
A quick google search will yield Apple's own documentation which seems to do a decent job of giving an overview on the subject. It also refers to the official government page for how to go about submitting a report. These resources are a bit terse though and leave much to be desired.
The next resource I discovered was a stack overflow answer and a blog post that broke down what yes or no answers to give during the app submission to Apple for the most common case, where an app uses HTTPS and no other special forms of encryption. There, I also found documentation on how to configure these options into your app's config files so that you don't have to repeat the process on each app update submission.
Okay, so from here I know I'm using HTTPS for the usual web traffic encrypted. This is the standard case for almost all web and or mobile development for over a decade now. Let's clarify, am I using exempt encryption? And if so what does that mean for me and what I may or may not need to do? Well, let's look at what Apple has to say about this from the first link...
Typically, the use of encryption that’s built into the operating system—for example, when your app makes HTTPS connections using
URLSession—is exempt from export documentation upload requirements, whereas the use of proprietary encryption is not. To determine whether your use of encryption is considered exempt, see Determine your export compliance requirements.
If your app uses exempt forms of encryption, you might alternatively be required to submit a year-end self-classification report to the U.S. government. (If you use non-exempt encryption and provide documentation to Apple, the self-classification report isn’t necessary.) To learn more, see How to file an Annual Self Classification Report.
Okay, so that strongly indicates that HTTPS is exempt due to being a built-in feature of the operating system. However, the second section leaves a bit to be desired. Specifically in saying "you might alternatively be required to submit a year-end self-classification report". Clear as mud, aye? Let's take look at what another resource has to say about this.
If your app makes calls to HTTPS or only uses encryption that’s part of iOS to authenticate, verify, or encrypt data you are using exempt encryption. It’s called exempt encryption because it’s exempt from needing a CCATS code before it’s allowed to be published to the App Store.
Exempt does not mean that it doesn’t need to be included in your self-classification report. Please consult a lawyer if your app uses non-exempt encryption because the remainder of this article assumes your app only uses exempt encryption.
Okay, that's a bit clearer and gives another strong indicator to the case that HTTPS is considered exempt. It also makes it a bit clearer that this still requires an annual self-classification report to be filed.
Looking a bit further into that last link you'll also find another really helpful resource linked and a breakdown of how to use it. This is a very simple page with a form that can be used to generate a self-classification report csv file in the way that is requested by the official government report on the matter.
Again, not a lawyer and I can't give legal advice. However, I hope you find these resources helpful in learning more about these questions that the Apple app store asks about while submitting your app.