Overview

The phrase "ITSAppUsesNonExemptEncryption" is tied closely to Apple's App Store submission process. This configuration setting in an app's Info.plist file plays a critical role in determining whether an app is subject to export compliance under U.S. law. Internal testing phases, especially in large organizations or those dealing with sensitive data, need to carefully consider this setting to avoid compliance pitfalls.

Technical Explanation

Export Compliance Basics

Export compliance refers to regulations that restrict the distribution of software products that use encryption technology. The U.S. Bureau of Industry and Security (BIS) regulates these under the Export Administration Regulations (EAR). Any software incorporating encryption technology may be subject to specific licensing requirements unless specified as exempt.

ITSAppUsesNonExemptEncryption

This key in an iOS app's Info.plist informs Apple whether the app uses encryption and if that encryption is exempt.

• ITSAppUsesNonExemptEncryption = NO: The app declares that it uses no encryption or uses exempt encryption. Exempt encryption typically involves standard encryption protocols that adhere to the regulations, like HTTPS or password hashing.
• ITSAppUsesNonExemptEncryption = YES: The app uses encryption that is not exempt, meaning it doesn't fall under common exemptions, which could require additional export documentation.

Internal Testing Considerations

While the primary focus of ITSAppUsesNonExemptEncryption is on published apps, internal testing processes also need careful monitoring.

1. Testing Features with Encryption: During internal testing, organizations might experiment with new, non-exempt encryption techniques. While this might not require immediate compliance actions, teams should document these functionalities in anticipation of public release scrutiny.
2. Security Audits and Code Reviews: Periodic audits should be performed on apps and updates before reaching the app store submission phase. These reviews ensure that all uses of encryption are documented and correctly labeled.
3. Best Practices for Internal Teams:
   • Maintain logs specifying encryption technologies utilized.
   • Conduct training on U.S. export compliance for development teams.
   • Maintain direct communication with legal advisors to ensure all software deployments align with regulatory standards.

Key Examples

• Exempt Use Cases:
  • An app using HTTPS to securely transmit data to a server.
  • Encrypted preference files using the iOS Keychain.
• Non-Exempt Use Cases:
  • Proprietary encryption algorithms designed internally that do not qualify under public domain exemptions.
  • Cryptographic operations that extend beyond standard functionalities, such as full-disk encryption.

Table: Key Points

Additional Considerations

Potential Impact on Release Timeline

Failing to correctly designate the ITSAppUsesNonExemptEncryption setting can lead to delays during app review, particularly if the app is slated for global distribution. In severe cases, failing to comply with export regulations could result in significant legal repercussions, including fined penalties.

Coordination with Stakeholders

For organizations working toward global app launches, coordination with multi-disciplinary teams is invaluable. This includes legal, compliance, and product teams all working in concert to manage encryption policies.

Future Trends

With the growing complexity of digital security and international regulations, it is essential to stay abreast of updates to U.S. export compliance laws. Tools and platforms are continually being developed to assist in managing these aspects automatically, thereby easing the burden on development teams.

By understanding and correctly implementing the ITSAppUsesNonExemptEncryption key, businesses can avoid compliance issues while focusing on delivering robust, secure apps to their user base.