Export compliance (ECCN/EAR) answered correctly

The ITSAppUsesNonExemptEncryption key in Info.plist is required by the US Bureau of Industry and Security (BIS) under the Export Administration Regulations (EAR). Apple enforces this during upload to App Store Connect — if the key is missing, the submission process stops and requires manual resolution in App Store Connect's compliance section. Declaring true incorrectly (claiming non-exempt encryption when only standard HTTPS is used) can trigger BIS filing requirements that the developer is not equipped to fulfill, creating ongoing regulatory exposure. Most apps qualify for the exemption under EAR §740.17(b)(1) and should declare false.

For apps using only standard HTTPS (the vast majority), set the key to NO in ios/[AppName]/Info.plist:

<key>ITSAppUsesNonExemptEncryption</key>
<false/>

For Expo, configure this in app.json:

"ios": {
  "config": {
    "usesNonExemptEncryption": false
  }
}

If your app implements custom encryption beyond standard TLS — for example, end-to-end encrypted messaging with a custom cipher — set true and consult the BIS Annual Self-Classification Report process. Do not set true as a conservative default; the exemption for standard TLS is explicit and well-established.

• ID: export-compliance
• Severity: medium
• What to look for: For iOS: check ios/[AppName]/Info.plist for ITSAppUsesNonExemptEncryption. This key must be present. In Expo, check app.json for expo.ios.config.usesNonExemptEncryption. The values are: false if the app uses only Apple's built-in encryption (HTTPS via NSURLSession, standard TLS) — most apps qualify for this exemption; true if the app implements custom encryption, uses a third-party encryption library beyond standard TLS, or qualifies as "non-exempt" under EAR. If the key is missing, Apple prompts for it during upload and may reject if not correctly answered during submission. For Android/Google Play: export compliance questions are answered during the Play Console submission process and are not typically present in the codebase, but check for any EAR, ECCN, or export compliance notes in REVIEW_NOTES.md or submission-notes.md. For Expo, also check eas.json for any ios.itunesConnect.usesNonExemptEncryption setting. Count every encryption usage in the app (HTTPS, data-at-rest encryption, crypto libraries) and enumerate each for export compliance classification.
• Pass criteria: ITSAppUsesNonExemptEncryption is present in Info.plist or app.json with a value of false (for apps using only standard TLS/HTTPS) or true with appropriate documentation; or the value is correctly set in EAS config. At least 1 implementation must be confirmed.
• Fail criteria: ITSAppUsesNonExemptEncryption key is entirely absent from Info.plist for an iOS project (will cause Apple to require manual declaration during upload); the key is set incorrectly (true for an app that only uses standard HTTPS, when false is the correct answer for the EAR exemption).
• Skip (N/A) when: Android-only project with no iOS build.
• Detail on fail: "ITSAppUsesNonExemptEncryption key is missing from ios/MyApp/Info.plist — Apple will require this to be declared during App Store Connect upload".
• Remediation: Most apps qualify for the encryption exemption.
  1. If your app only uses standard HTTPS (TLS via system APIs), set ITSAppUsesNonExemptEncryption to NO in Info.plist
  2. For Expo, add to app.json:

     "ios": {
       "config": {
         "usesNonExemptEncryption": false
       }
     }
     

  3. If your app uses custom encryption (e.g., end-to-end encryption, custom cipher implementations), consult the BIS export compliance regulations and potentially register for an Annual Self-Classification Report