Keywords: iOS Encryption Compliance | HTTPS Export Control | Info.plist Configuration
Abstract: This article provides an in-depth analysis of whether using HTTPS in iOS apps constitutes 'containing encryption' for compliance purposes. Based on U.S. Export Administration Regulations, it details the criteria for determining encryption usage scenarios, exemption conditions, and compliance procedures. Through specific cases, it explains how to properly configure Info.plist files and complete compliance declarations in iTunes Connect, helping developers avoid potential export control risks.
Encryption Compliance Background
When developers upload apps to iTunes Connect, the system asks: "Does your product contain encryption?" This question stems from U.S. Export Administration Regulations requirements, mandating that any product containing encryption technology must obtain appropriate export authorization. Failure to comply may result in severe legal penalties.
Encryption Attributes of HTTPS Usage
According to clear guidelines from the U.S. Bureau of Industry and Security, apps using industry-standard encryption algorithms (including HTTPS, SSL, AES, etc.) are generally considered to "contain encryption." Even if developers only use the HTTPS protocol through NSURLConnection and UIWebView, such use of encryption for data transmission falls under regulatory scope.
Exemption Condition Analysis
The Export Administration Regulations provide several exemption scenarios. Developers can determine applicability based on the following conditions:
- Authentication Only: If encryption is used solely for user authentication, token generation, or other authentication purposes
- Key Length Restrictions: Symmetric keys not exceeding 56 bits, asymmetric keys not exceeding 512 bits, or elliptic curve not exceeding 112 bits
- Mass Market Products: Products meeting mass market definitions with key lengths within specified limits
- Financial Applications: Applications specifically designed for banking use or money transactions
- Open Source Software: Applications with publicly available source code distributed free of charge
Compliance Configuration Guide
For scenarios involving only HTTPS usage or encryption for authentication purposes, developers need to add the following configuration to the app's Info.plist file:
<key>ITSAppUsesNonExemptEncryption</key>
<false/>This configuration explicitly declares that the encryption used by the app falls within exemption scope, eliminating the need for annual reporting.
iTunes Connect Verification Process
Developers can verify encryption compliance status in iTunes Connect through the following steps:
- Select the target application
- Navigate to the "Features" section
- Choose the "Encryption" option
- Click the "+" button to add encryption information
- Answer questions according to the guided dialog
- For HTTPS or authentication purposes, typically select "Yes" and "Yes"
Responsibilities and Risk Awareness
It is particularly important to note that all liabilities associated with misinterpretation of export regulations or inaccurate exemption claims are borne by the app owners and developers. Therefore, developers should carefully review relevant regulations to ensure accurate understanding of applicable conditions.
Latest Policy Updates
Since September 2016, apps using HTTPS have been explicitly excluded from export registration and reporting requirements. This policy change simplifies compliance procedures for developers using only HTTPS.