Keywords: iOS | Encryption Compliance | ITSAppUsesNonExemptEncryption | App Store Connect | info.plist
Abstract: This technical article provides an in-depth analysis of the ITSAppUsesNonExemptEncryption key in iOS app development, explaining its role in export compliance for internal testing and App Store distribution. Based on official documentation and practical experience, it details when and how to configure this key in info.plist, the encryption review process, and best practices to avoid common compliance issues.
During iOS app development, when preparing for internal testing or App Store submission, developers may encounter compliance prompts regarding ITSAppUsesNonExemptEncryption. The configuration of this key in the info.plist file directly relates to the app's encryption usage and export compliance review. Understanding its meaning and proper setup is crucial for smooth testing and release processes.
Basic Definition and Purpose of the Key
ITSAppUsesNonExemptEncryption is a Boolean key used to declare whether the app uses non-exempt encryption technologies. According to Apple's official documentation, when the key's value is <false/>, it indicates that the app uses no encryption or only exempt encryption. When set to <true/>, it signifies that the app employs non-exempt encryption requiring compliance review.
In practical configuration, developers need to add the following content to the <dict> section of the info.plist file:
<key>ITSAppUsesNonExemptEncryption</key>
<false/>This code should be placed before the </dict></plist> tags to ensure correct formatting. If the app indeed uses non-exempt encryption, the value should be changed to <true/> with appropriate compliance documentation prepared.
Criteria for Encryption Compliance Determination
The key factor in determining whether to set ITSAppUsesNonExemptEncryption to <true/> is identifying if the app uses non-exempt encryption. Based on WWDC 2015 materials, if the app contains no cryptographic content, setting this value to <false/> allows normal internal testing and distribution.
However, the definition of encryption usage can sometimes be debatable. Common scenarios include:
- Using HTTPS for network communication (generally considered exempt encryption)
- Integrating third-party encryption libraries within the app
- Locally encrypting user data storage
In these cases, developers need to carefully assess whether they fall under non-exempt encryption categories. When uncertain, consulting the latest Apple developer documentation or legal compliance experts is recommended.
Compliance Review Process and Impact
According to Apple's official guidelines, if an app requires additional encryption review documentation, it cannot achieve "Ready for Sale" status until Export Compliance has reviewed and approved the documents. More critically, the app cannot be distributed for prerelease testing until approved. This means that if an app uses non-exempt encryption without completing compliance review, even basic internal testing will be blocked.
To avoid complex compliance questions at submission time, developers can proactively provide export compliance information in iTunes Connect:
- Navigate to the Encryption section under Features in iTunes Connect
- Click the plus sign next to the appropriate platform section
- Answer the questions accurately
- Upload files as prompted
- Click Save to submit for review
After submission, documents enter the review process immediately, with status showing as "Compliance Review." The system automatically generates a key value that developers can include in their info.plist file.
Practical Recommendations and Considerations
In practice, even apps without the ITSAppUsesNonExemptEncryption key may sometimes upload successfully. However, this carries risks, as apps actually using non-exempt encryption might encounter review issues at later stages.
Recommended practices include:
- For apps clearly not using encryption, always include
<key>ITSAppUsesNonExemptEncryption</key><false/>in info.plist - If the app uses encryption but exemption status is uncertain, set to
<true/>initially and prepare compliance documentation - Regularly check Apple's developer documentation for updated encryption compliance requirements
- Monitor document review status in iTunes Connect and update information as needed
It's important to note that if the info.plist contains a key referencing specific export compliance documentation, that document must be in an approved state, not "In Review" or "Rejected." Developers can click the document filename at any time to view details. If updates or answer changes are needed, a new document must be resubmitted.
Properly handling ITSAppUsesNonExemptEncryption configuration not only ensures smooth testing and release processes but also prevents delays and additional work due to compliance issues. As global regulations around data security and encryption technologies become increasingly strict, developers should pay greater attention to these compliance requirements.