App Store

    Export Compliance Information Required (App Store)

    The App Store Connect Export Compliance Information Required prompt asking whether an app uses encryption, with HTTPS marked as exempt.

    The Export Compliance Information Required prompt appears because your build did not declare how it uses encryption, and App Store Connect needs that answer before the build can go to review or to external TestFlight. The question is not really whether your app uses encryption, since almost every app does through HTTPS, but whether that encryption is exempt. HTTPS and the encryption provided by Apple's operating system are exempt, so most apps answer that they qualify for the exemption. You answer that you use non-exempt encryption only if you added your own proprietary cryptography, such as a custom algorithm or a VPN tunnel, which brings a documentation obligation. Declaring it once with the ITSAppUsesNonExemptEncryption key stops the prompt from returning on every submission.

    Short answer

    This prompt is a required declaration, not a rejection, and you clear it by correctly answering whether your app uses non-exempt encryption. Per Apple's encryption export documentation, encryption that is standard and provided by the operating system, including HTTPS handled by the system, is exempt, while proprietary or non-standard cryptography you add yourself is non-exempt. So an app that only relies on HTTPS and Apple's built-in crypto answers that it qualifies for the exemption. You can record the answer permanently with the ITSAppUsesNonExemptEncryption key in Info.plist, set to NO for exempt or no encryption, so App Store Connect stops asking on each build.

    Where you see this prompt and what it blocks

    You encounter Export Compliance Information Required in App Store Connect, on the build itself, when you try to submit it for review or make it available to external TestFlight testers. Until you answer the encryption question for that build, it cannot move forward, so the prompt is a gate on the build rather than a problem with your app as a whole. The field lives in the build's export compliance section, and App Store Connect surfaces it as a required step during submission.

    It helps to know what it does and does not affect. The prompt holds the specific build until answered; it does not remove or penalize an already-live version of your app, and answering it is a form-filling step, not a review outcome. So the pressure it creates is only that a build you want to test or ship is waiting on a declaration, which you can supply directly in App Store Connect or, better, bake into the build so the gate never appears.

    The real question: is your encryption exempt?

    The reason this prompt confuses people is that they read it as does your app use encryption and answer yes in a panic, when the question that matters is whether the encryption is exempt. Practically every modern app uses encryption, because any network call over HTTPS is encrypted, so a plain yes or no about encryption is not the useful distinction. Apple's framework is built around exemptions: certain common, standard uses of encryption are exempt from the documentation that non-standard cryptography requires.

    So reframe the decision. The question is not whether encryption is present but whether your app relies only on the exempt kinds, mainly HTTPS and the cryptography the operating system provides, or whether it also includes non-exempt cryptography that you brought yourself. Once you frame it that way, most apps fall clearly on the exempt side, and the small number that added their own encryption know they did. Answering correctly is a matter of identifying which of those two situations you are in.

    HTTPS and OS encryption are exempt

    If your app only encrypts through HTTPS and the standard cryptography Apple's system provides, it qualifies for the exemption, and this covers the large majority of apps. HTTPS handled by the system, for example through URLSession, is exempt, and so is the encryption built into iOS that you call through standard APIs, such as Keychain, the Data Protection classes, and standard algorithms exposed by the platform. Using these is not what the export documentation is aimed at, so relying on them means you answer that you do not use non-exempt encryption.

    This is why HTTPS usage on its own does not make you non-exempt. An app that logs in over HTTPS, calls an API over HTTPS, and stores a token in the Keychain is using only exempt encryption, so it qualifies for the exemption and you set ITSAppUsesNonExemptEncryption to NO. The practical test is whether every bit of encryption in your app comes from the system or standard algorithms rather than from a custom scheme, and for most apps the honest answer is yes.

    What counts as non-exempt encryption

    Non-exempt encryption is cryptography you add beyond what the operating system provides through standard means, and it is what actually triggers the documentation obligation. Examples include implementing your own encryption algorithm, shipping a custom or proprietary cryptographic protocol, building end-to-end encrypted messaging with your own crypto, an on-device password vault using non-standard encryption, or a VPN tunnel your app implements. In these cases you are doing more than calling HTTPS and the system libraries, so the exemption does not automatically apply.

    If that describes your app, you answer that you use non-exempt encryption and set ITSAppUsesNonExemptEncryption to YES, and you take on the extra compliance step that comes with it. The line to watch is standard versus proprietary: using a well-known algorithm through Apple's own APIs is generally exempt, while implementing encryption yourself or using non-standard cryptography is what pushes you into non-exempt territory. Being honest here matters, because the declaration is a legal statement about your app.

    How to answer at a glance

    Matching what your app actually does to the right answer is the whole task. The table below maps it.

    Your app's encryptionExempt?How to answer
    Only HTTPS network callsYesQualifies for exemption; key set to NO
    Keychain and standard iOS cryptoYesQualifies for exemption; key set to NO
    No encryption at allYesNo non-exempt encryption; key set to NO
    Your own or proprietary algorithmNoUses non-exempt encryption; key set to YES
    Custom end-to-end or VPN cryptoNoUses non-exempt encryption; key set to YES

    Read the exempt column as the deciding factor: only proprietary or non-standard cryptography you add yourself makes you non-exempt.

    Set ITSAppUsesNonExemptEncryption to stop the prompt

    Answering the prompt once per build is tedious, so the durable fix is to declare your encryption use in the build itself with the ITSAppUsesNonExemptEncryption key in your Info.plist. Set it to NO if your app uses no encryption or only exempt encryption, which is the common case, and App Store Connect no longer shows the export compliance prompt for those builds. Set it to YES if your app genuinely uses non-exempt encryption, which keeps the correct declaration attached and routes you to the documentation step.

    Build tools make this easy to apply consistently. Whether you set the key by hand in Xcode, through your project configuration, or in a managed build with a tool like Fastlane or Expo EAS, the key travels with every build so the answer is recorded before upload. That removes the recurring prompt and, more importantly, makes your compliance answer a deliberate, version-controlled decision rather than a rushed click during submission.

    If you use non-exempt encryption: the documentation

    Answering yes carries an obligation beyond the toggle, because non-exempt encryption is subject to U.S. export documentation. In that case you either provide the appropriate compliance documentation to Apple, or you file the annual self-classification report to the U.S. Bureau of Industry and Security, which is due at the start of the year, by February 1. Apple lets you upload export compliance documentation in App Store Connect, and once your documentation is on file you are not prompted for it on every build.

    The point is to plan for this if you ship your own cryptography, rather than discovering it at submission. Gather what your encryption is and confirm whether it needs a self-classification report or a specific authorization, and keep the documentation with your release process. For the exempt majority, none of this applies, which is exactly why answering the exemption question correctly matters: it separates the apps that owe paperwork from the many that do not.

    Fix checklist

    Working through these steps clears the prompt correctly. The checklist below covers them.

    StepActionDone?
    Identify your encryptionList every place the app encrypts data[ ]
    Check the exemptionHTTPS and OS crypto are exempt[ ]
    Answer honestlyNon-exempt only if you added proprietary crypto[ ]
    Set the Info.plist keyITSAppUsesNonExemptEncryption NO or YES[ ]
    Prepare documentationIf YES, plan the self-classification report[ ]
    Automate itSet the key in your build so the prompt stops[ ]

    The step teams skip most is setting the Info.plist key, which is what turns a repeated submission prompt into a one-time, version-controlled answer.

    Where a scan fits

    Answering correctly depends on knowing what cryptography your app actually contains, and that is easier to see when you can inventory it rather than guess.

    A scanner like PTKD.com analyzes your build and reports where and how it uses cryptography, along with issues such as weak or hardcoded keys and over-broad permissions, by severity and mapped to OWASP MASVS. To be clear about the boundary: PTKD does not file your export declaration or set your Info.plist key. It helps you see whether your app relies only on standard, exempt encryption or ships something proprietary, so your answer to the export compliance question is based on what the app really does.

    What to take away

    • Export Compliance Information Required is a declaration that gates the build, not a rejection, and it does not affect an already-live version of your app.
    • The real question is whether your encryption is exempt, not merely whether encryption is present, since almost every app encrypts through HTTPS.
    • HTTPS and the standard cryptography Apple's system provides are exempt, so most apps answer that they qualify for the exemption.
    • You use non-exempt encryption only if you added proprietary or non-standard cryptography, such as a custom algorithm or a VPN tunnel, which requires export documentation or an annual self-classification report.
    • Set ITSAppUsesNonExemptEncryption in Info.plist to stop the prompt recurring, and a tool like PTKD.com helps you see what cryptography your app actually contains.
    • #app store connect
    • #export compliance
    • #encryption
    • #itsappusesnonexemptencryption
    • #app submission

    Frequently asked questions

    What does Export Compliance Information Required mean?
    It means your uploaded build did not declare how it uses encryption, so App Store Connect requires you to answer the export compliance question before that build can be submitted for review or released to external TestFlight testers. It is a declaration step, not a rejection, and it gates only that specific build rather than affecting an already-live version of your app. You answer whether your app uses non-exempt encryption, and you can record the answer permanently in the build with the ITSAppUsesNonExemptEncryption Info.plist key so the prompt stops appearing.
    Does using HTTPS count as encryption for export compliance?
    Yes, HTTPS uses encryption, but it is exempt encryption, so it does not make you answer that you use non-exempt encryption. Apple treats encryption that is standard and provided by the operating system, including HTTPS handled by the system through URLSession, as exempt, along with the built-in cryptography you call through standard APIs like Keychain and the Data Protection classes. An app that only encrypts through HTTPS and these system facilities qualifies for the exemption, so you set ITSAppUsesNonExemptEncryption to NO.
    What is non-exempt encryption?
    Non-exempt encryption is cryptography you add beyond what the operating system provides through standard means. Examples include implementing your own encryption algorithm, shipping a custom or proprietary cryptographic protocol, building end-to-end encrypted messaging with your own crypto, an on-device password vault using non-standard encryption, or a VPN tunnel your app implements. The line is standard versus proprietary: using a well-known algorithm through Apple's APIs is generally exempt, while implementing encryption yourself or using non-standard cryptography is non-exempt and requires export documentation.
    How do I stop the export compliance prompt appearing every time?
    Add the ITSAppUsesNonExemptEncryption key to your app's Info.plist. Set it to NO if your app uses no encryption or only exempt encryption, which is the common case, and App Store Connect no longer shows the export compliance prompt for those builds. Set it to YES if your app genuinely uses non-exempt encryption, which keeps the correct declaration attached and routes you to the documentation step. Setting the key in Xcode or through a managed build with Fastlane or Expo EAS makes the answer travel with every build.
    What documentation do I need if I use non-exempt encryption?
    If you answer that you use non-exempt encryption, it is subject to U.S. export documentation. You either provide the appropriate compliance documentation to Apple, which you can upload in App Store Connect so you are not prompted on every build, or you file the annual self-classification report to the U.S. Bureau of Industry and Security, which is due by February 1. Plan for this if you ship your own cryptography rather than discovering it at submission. For the exempt majority using only HTTPS and OS crypto, none of this applies.
    Does answering the export compliance question affect app review?
    Answering it is a form-filling step, not a review outcome, so providing the declaration does not by itself cause a rejection. What it does is release the build to proceed, since an unanswered prompt holds the build from review and external TestFlight. The compliance risk is answering incorrectly: claiming the exemption while actually shipping proprietary, non-exempt cryptography is an inaccurate legal declaration. So answer honestly based on what your app really does, and the declaration itself will not slow your review.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free