App Store

    TestFlight Export Compliance: Uses Non-Exempt Encryption

    An Info.plist showing the ITSAppUsesNonExemptEncryption key set to answer the TestFlight export compliance question.

    The TestFlight export compliance question asks whether your app uses encryption, and you answer it permanently by adding the ITSAppUsesNonExemptEncryption key to your Info.plist. Set it to NO if your app only uses exempt encryption, which covers most apps that rely on standard HTTPS and the operating system's cryptography, and the prompt stops appearing on every build. Set it to YES only if your app uses non-exempt or custom encryption, in which case you may need export documentation and, if your app is available in France, to address French encryption declaration rules. Most apps qualify for the exemption and set the key to NO.

    Short answer

    Add the Boolean ITSAppUsesNonExemptEncryption key to your Info.plist to answer the export compliance question once rather than on every upload. Per Apple's encryption export documentation, set it to NO if your app uses only exempt encryption, such as standard HTTPS through the system APIs, which is true for most apps. Set it to YES if you use non-exempt or custom encryption, which may require export documentation and annual reports. If your app uses non-exempt encryption and is available in France, you may also need to satisfy French encryption declaration requirements, which Apple asks about in the compliance flow. When unsure, confirm your app relies only on standard encryption before setting NO.

    What the export compliance question is

    The export compliance prompt appears because apps are subject to encryption export regulations, and Apple has to record whether your app uses encryption before it can be distributed, including through TestFlight. Each time you upload a build, App Store Connect asks whether your app uses encryption, and until you answer it permanently, it keeps asking on every submission.

    The prompt is not about your app's quality or security; it is a regulatory declaration. Governments regulate the export of encryption, so Apple collects this answer to comply on your behalf and, where needed, to point you at the documentation you must provide. Understanding that it is a compliance question, not a technical one, is why the clean way to handle it is to declare the answer once in your project rather than clicking through it each time.

    Which Info.plist key to use

    The key is ITSAppUsesNonExemptEncryption, a Boolean you add to your Info.plist. Setting it pre-answers the export compliance question so App Store Connect stops prompting you on each upload. A value of NO declares that your app does not use non-exempt encryption, and a value of YES declares that it does.

    Add it as a single entry: the key ITSAppUsesNonExemptEncryption with a Boolean value. For most apps the correct value is NO, because they rely only on exempt encryption. Once the key is in your Info.plist and the build is uploaded, the repetitive prompt disappears, which is the main practical benefit of setting it rather than answering interactively every time.

    Do you qualify for the exemption?

    Most apps qualify to set the key to NO, because they use only encryption that is exempt under the regulations. Standard HTTPS and TLS provided through the operating system, encryption used only for authentication, and the platform's built-in cryptography generally fall within the exemptions, so an app that just talks to its backend over HTTPS and does not implement its own cryptography typically qualifies.

    You do not qualify for the simple NO if your app implements or uses non-exempt encryption, such as proprietary or custom cryptographic algorithms, or certain uses beyond the standard exemptions. The line can be subtle, so if your app does anything with encryption beyond relying on the system's standard secure networking, confirm your specific case against Apple's guidance, and where it is genuinely unclear, seek qualified advice rather than guessing at a legal declaration.

    What YES means: documentation and reports

    If your app does use non-exempt encryption, setting the key to YES is only the start, because you may then owe export documentation. Depending on your situation, this can include obtaining the appropriate authorization from the relevant export authority and filing annual self-classification reports. Apple's export compliance flow guides you toward what is required, but the obligation is yours.

    This is why you should not casually declare YES to be safe; the honest answer determines real obligations, and declaring encryption you do not use creates paperwork you do not need, while declaring NO when you should have said YES misstates a regulatory answer. Determine your actual encryption use, set the key to match, and if it is YES, follow through on the documentation the regulations require rather than treating the declaration as the end of it.

    French encryption laws

    France has specific rules for apps that use encryption, and Apple's export compliance workflow asks whether your app is available there for that reason. If your app uses non-exempt encryption and is offered in France, you may need to comply with French encryption declaration requirements, which are separate from the United States export rules and involve a declaration to the relevant French authority.

    For most apps that qualify for the exemption and set the key to NO, this does not apply, because the France question is tied to non-exempt encryption. But if you answered YES and distribute in France, treat the French requirement as a real step to check rather than skip. As with the rest of export compliance, this is a legal matter, so confirm your obligations against current guidance and, where the situation is unclear, get advice specific to your app.

    Values compared

    The key has a small set of choices with clear meanings. The table below lays them out.

    ValueWhat it declaresTypical use
    NOThe app uses only exempt encryptionMost apps, standard HTTPS
    YESThe app uses non-exempt encryptionCustom or proprietary cryptography
    Not setNo permanent answer, prompts each uploadNot recommended

    Read the table to place your app. If it relies only on standard secure networking, NO is the value and the prompt goes away; if it uses non-exempt encryption, YES is the honest value and it brings additional obligations; and leaving the key unset just means answering the prompt on every build.

    Setup checklist

    A short sequence handles export compliance cleanly. The checklist below covers it.

    CheckActionDone?
    Assess your cryptoDetermine whether you use only exempt encryption[ ]
    Set the keyAdd ITSAppUsesNonExemptEncryption with the honest value[ ]
    DocumentationObtain export documentation if you declared YES[ ]
    FranceAddress the French declaration if it applies[ ]
    VerifyConfirm the prompt no longer appears on upload[ ]

    The step that matters most is assessing your actual encryption use honestly before setting the value, since the key is a regulatory declaration rather than a convenience toggle. Once it is set correctly, the repetitive prompt is gone and your compliance answer is recorded consistently for every build, which also removes a small but recurring source of friction from your release process.

    Scan before you submit

    Export compliance answers a legal question about encryption, but it says nothing about whether your app is otherwise secure, and the two are easy to conflate. An app can be perfectly compliant on export and still have security issues, such as cleartext traffic that undermines the very encryption the declaration assumes, unjustified permissions, or an embedded secret.

    A scanner like PTKD.com analyzes your .ipa and reports findings ordered by severity and mapped to OWASP MASVS, so you catch those issues before submission. To be clear about the boundary: PTKD does not make your export compliance declaration or file French paperwork. It checks the build's actual security posture, which is a separate concern from the regulatory question the ITSAppUsesNonExemptEncryption key answers.

    What to take away

    • Answer the export compliance question once by adding the Boolean ITSAppUsesNonExemptEncryption key to your Info.plist.
    • Set it to NO if your app uses only exempt encryption, such as standard HTTPS, which covers most apps and stops the prompt.
    • Set it to YES only if you use non-exempt or custom encryption, which may require export documentation and annual reports.
    • If you use non-exempt encryption and distribute in France, you may also need to satisfy French encryption declaration requirements.
    • The key is a legal declaration, not a toggle; assess your encryption honestly, and scan your build with PTKD.com for the separate matter of app security.
    • #export compliance
    • #testflight
    • #encryption
    • #info.plist
    • #app store connect

    Frequently asked questions

    Which Info.plist key answers the export compliance question?
    The Boolean key ITSAppUsesNonExemptEncryption. Adding it to your Info.plist pre-answers the export compliance question so App Store Connect stops prompting you on each upload. A value of NO declares your app does not use non-exempt encryption, and YES declares that it does. For most apps the correct value is NO.
    Should I set ITSAppUsesNonExemptEncryption to NO or YES?
    Set it to NO if your app uses only exempt encryption, such as standard HTTPS and TLS through the system APIs and the platform's built-in cryptography, which is true for most apps. Set it to YES if your app implements or uses non-exempt or proprietary encryption. The key is a legal declaration, so choose the value that honestly matches your encryption use.
    Do most apps qualify for the encryption exemption?
    Yes. Most apps use only encryption that is exempt, such as standard HTTPS, encryption used solely for authentication, and the operating system's cryptography, so an app that just talks to its backend over HTTPS and implements no custom cryptography typically qualifies to set the key to NO. If you do anything beyond standard secure networking, confirm your specific case.
    What does declaring YES require?
    It may require export documentation beyond the declaration, which depending on your situation can include obtaining the appropriate authorization from the relevant export authority and filing annual self-classification reports. Apple's flow guides you toward what is needed, but the obligation is yours, so declare YES only if you genuinely use non-exempt encryption and follow through on the paperwork.
    How do French encryption laws affect export compliance?
    France has specific rules for apps that use encryption, which is why Apple's compliance workflow asks whether your app is available there. If your app uses non-exempt encryption and is offered in France, you may need to satisfy French encryption declaration requirements, separate from the United States rules. For apps that qualify for the exemption and set NO, this generally does not apply.
    Does export compliance mean my app is secure?
    No. Export compliance answers a legal question about encryption, not whether your app is otherwise secure. An app can be compliant and still have cleartext traffic, unjustified permissions, or an embedded secret. A scanner like PTKD.com (https://ptkd.com) checks the build's actual security posture, mapped to OWASP MASVS, which is separate from the ITSAppUsesNonExemptEncryption declaration.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free