App uses https - what is the correct value of ITSAppUsesNonExemptEncryption
The ONLY encryption my App uses is calls over HTTPS. Currently (7 June 2017) iTunes Connect requires an Export Compliance according to this information in iTunes Connect.
I've entered the iTunesConnect -> My Apps -> Features -> Encryption page, clicked the plus symbol besides "iOS Documentation" and in the Export Compliance form answered YES.
The following two screen shots show more details of the export compliance box as I scroll down.
The last 2 screen shots suggest using HTTPS is an EXEMPT use of encryption and I should therefore in info.plist set ITSAppUsesNonExemptEncryption=false. But this is not clear, and is contradicted in my 1st screen shot that says if you are making a call to HTTPS ... required to submit a year-end classification report to the US government.
So my questions:
is it correct to set ITSAppUsesNonExemptEncryption=false if the only encryption I use is via HTTPS calls?
if I must set ITSAppUsesNonExemptEncryption=true, where do I go to submit a report to the US government and how does this report get passed to Apple? I cannot find any clear information on the process. I don't want to screw this up as the consequences can be major as threatened in the last screen shot.
regardless of how I set ITSAppUsesNonExemptEncryption, according to my 1st screen shot if I use HTTPS I must submit a year-end self classification to the US government. Is that true, and what is the process? (clicking the "learn more" link doesn't help)
I was searching the web for this for some hours. Actually it is pretty easy and you can verify this in itunes connect:
1. All you have to do
If your app uses only HTTPS or uses encryption only for authentication, tokens, etc., there is nothing you have to do, just include
<key>ITSAppUsesNonExemptEncryption</key><false/>
in your Info.plist and you are done.
2. Verification
You can verify this in itunes connect.
- select your app
- chose features
- chose encryption
- click "+"
- follow the dialog
- for https or authentication the answer is yes and yes
3. Year-end self classification report
As is written in the dialog in 2., you still need to submit a year-end self classification report:
If you are making use of ATS or making a call to HTTPS please note that you are required to submit a year-end self classification report to the US government. Learn more
You can check How do I submit a Self Classification Report for Encryption Items and this SO question https://stackoverflow.com/a/48462458/276648 .
In any case you should of course read yourself carefully through the dialog.
A very helpful article can be found here:
https://www.cocoanetics.com/2017/02/itunes-connect-encryption-info/
I unfortunately do not have enough rep to comment but at the minute I am looking into the exact same issue and I believe that you are correct when you say that you can set the ITSAppUsesNonExemptEncryption key to false, at least this was the conclusion I came to from my research.
For the self classification report it does look like you have to submit one by February of next year, I found this link helpful in explaining the report and what to do
https://www.bis.doc.gov/index.php/policy-guidance/encryption/reports-and-reviews/annual-self-classification
Like I said this is all from my own investigation like you and I think this is correct but if anyone does have any more information would be greatly appreciated.