Disclaimer: I am not a lawyer. This is not legal advice, this is for information purposes only. Consult an attorney for legal guidance.
If your iOS app is simply using ATS or HTTPS to communicate with an external server then your app is using Encryption. As such you may need to submit a year-end self classification report to the US government. This is far-reaching as Apple is pushing to require ATS in all apps. The original deadline was Jan 1, 2017, however it has been extended indefinitely. These requirements would include simple apps that may be using an external SDK with ATS enabled for metrics or advertising such as Facebook SDKs, Fabric, Crashlytics, Kitemetrics, etc.
While the self classification report doesn’t seem that hard to submit, finding out if you qualify and the instructions to submit it are a little challenging. For convenience I’ll post my research on finding those instructions here and link out appropriately.
A really good resource is the FAQ on iTunes Connect on Managing Your Apps Export Compliance. It answers questions such as “Does my app require an export compliance review if I only distribute it on the App Store in the U.S. and Canada?” Short answer, No. However, if you don’t live in the U.S. you are still subject to U.S. export laws since the app is uploaded to U.S. servers, even if you only publish your app in your home country.
In iTunes connect it asks you to fill out Export Compliance Information.
The first question is “Does your app use encryption? Select Yes even if your app only uses the standard encryption in iOS and macOS.”.
The second question is “Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?”
If you answer yes it has the following info callout “If you are making use of ATS or making a call to HTTPS please note that you are required to submit a year-end self classification report to the US government.” The link in Learn More to https://www.bis.doc.gov/informationsecurity2016-updates lists a bunch of updates that aren’t actually that useful in learning anything. However this link on Encryption and Export Administration Regulations (EAR) was more useful as well as the FAQ.
The full text states:
Make sure that your app meets the criteria of the exemption listed below. You are responsible for the proper classification of your product. Incorrectly classifying your app may lead to you being in violation of U.S. export laws and could make you subject to penalties, including your app being removed from the App Store. Read the FAQ thoroughly before answering this question.
You can also select Yes if your app meets the descriptions provided in Note 4 for Category 5, Part 2 of the U.S. Export Administration Regulations.
The exemption list shown only lists 5 categories. However, you should read Note 4 as it contains more descriptions. Here is link to the full contents of Note 4. Here is a link with some examples on how to perform a Note 4 analysis.
Ok. Hopefully by now you or your lawyer have determined if your app qualifies for an exemption or not. If so and you determine that you also need to submit a year-end self classification report you’ll need to find out how to do that as well. Basically you fill out 12 columns in a .csv file and email it to firstname.lastname@example.org and email@example.com no later than February 1.
Here are some links with instructions on how to file:
Below is a screenshot of one of the example files:
For some iOS apps distributed via the App Store it would seem that the following fields could be filled out as:
ECCN: 5A002 or 5A992
AUTHORIZATION TYPE: MMKT
ITEM TYPE: Mobility and mobile applications n.e.s.
NON-U.S. COMPONENTS: N/A
NON-U.S. MANUFACTURING LOCATIONS: N/A