MAS HTTPS, Encryption - export compliance ?

Hi,

I’m preparing a macOS app for submission to the MAS and have a question about « Encryption ».

My app is doing API calls (GET/POST) for sending emails (Mailjet) and uses https.

In « Features / Encryption » it says:

If your build doesn’t use encryption, specify this in the target properties table in Xcode. Learn More

In App Store Connect Help:

[code]Use of encryption includes, but is not limited to:

  • Making calls over secure channels (i.e. HTTPS, SSL, and so on).

  • [/code]

Does that mean that using HTTPSocket with secure connection (https) to call APIs POST/GET is considered as Making calls over secure channels ??

I hope not !

Thanks for enlightening me.

HTTPSocket is old code and doesn’t so SSL.

The new URLConnection does do use SSL/TLS.

I mean Xojo.Net.HTTPSocket, which is secure when url uses https.

That us NSURL* classes and so you may need to use App Transport Security settings.

see
https://blog.xojo.com/2018/12/14/app-transport-security-on-macos/

This seems to be for apps not able to use https and wanting to communicate with http.

My problem is not to use https, it works fine.
My problem is that if I declare that I’m using HTTPS, here is what MAS says:

It is your responsibility to comply with export regulations, and you should revisit these questions if your encryption or exemption status changes. If your encryption and exemption eligibility stay the same, specify this in the target properties table in Xcode. App Uses Non-Exempt Encryption : No
and

If you are making use of ATS or making a call to HTTPS, you are required to submit a year-end self classification report to the US government.

If this is the way to go I don’t think I’ll submit to MAS.

This process is not simple (I found this) and certainly not worth the time spent.

Nobody does that. Otherwise, everyone would have whined before.

Set this to Yes only if your App uses encryption that’s exempt from export compliance requirements and this does not apply to the use of the HTTPS Protocoll.

Source: https://developer.apple.com/documentation/bundleresources/information_property_list/itsappusesnonexemptencryption

[Update] - Things seem to have changed since i stopped dev for macOS/iOS…
Maybe this may help you a bit: https://help.apple.com/app-store-connect/#/dev88f5c7bf9 and https://help.apple.com/app-store-connect/#/dev63c95e436

Sasha, that’s exactly what I was mentioning in previous messages.
Maybe @Sam Rowlands has an opinion.

The question is still: does anyone do what is in the links from Sascha? I checked a couple of applications and none have the plist entries for encryption.

Well it’s in plain wording, not even legalese.

[quote]Use of encryption includes, but is not limited to:
Making calls over secure channels (i.e. HTTPS, SSL, and so on).[/quote]
It does feel new, but I haven’t submit anything to the MAS that uses the internet.

AFAIK, you only need to worry if you use encryption that the US Gov doesn’t like. If you use the functionality supplied by the OS you should be fine.

I say should, because there are many who have/do and don’t have a problem, but you can’t use that argument if your application gets rejected. If a reviewer thinks you’ve broken the rules, you’ve broken the rules until you can prove that you haven’t.

All out apps feature a system that uses the Xojo sockets (can’t recall which ones) to periodically connect via https to our server and check for new information. Again, it’s doesn’t mean that a reviewer who doesn’t like you app can’t create problems for you.

If you are only using the system provided encryption such as https, sqlite encrypted databases and so on you shouldn’t really bother about that.

Add this in your plist file and AppStore connect won’t ask about encryption again :

<key>ITSAppUsesNonExemptEncryption</key> <false/>

@Jeremie: [quote]sqlite encrypted databases[/quote]
Actually in these days I was going to submit to MAS a new desktop app containing a readOnly sqlite encrypted databases, and I was musing about the reviewer’s reaction to it.

Should I add the plist-snippet you provided?
ITSAppUsesNonExemptEncryption

Thanks

From my experience with iOS apps, setting the plist entry mentioned in previous post is ok when using sqlite encryption.

But there is a big difference between iOS app reviews and Mac app reviews. For iOS, I believe the first reviewer does not have access to the app’s content. It is only if the app needs a deeper review that they have tools to download the app bundle onto a Mac and have a closer look to the files. But I may be mistaken.

When reviewing a Mac app, the reviewer can look into the app bundle and take a closer look to every file.

Thank you all for your opinions.
I’ll post again when the app is submitted to the MAS and let you know.

I’ll have to wait for an answer to my other post, without it I won’t be able to submit the app anyway.