How to determine if my app contains encryption?
The rules regarding a TestFlight app is slightly different from a "real" AppStore release, but the procedure is pretty similar.
As you said, the first question asks “Does your app use encryption?" Here you should select "Yes" even if your app only uses the standard encryption in iOS and macOS / XCode.
Basically:
Use of encryption in this case includes, but is not limited to:
- Making calls over secure channels (i.e. HTTPS, SSL, and so on).
- Using standard encryption algorithms.
- Using crypto functionality from other sources such as iOS or macOS.
- Using proprietary or non-standard encryption algorithms.
The U.S. Government defines "non-standard cryptography" as any implementation of "cryptography" involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body.
Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?
As you said, option C is most often adequate and the correct choice if you don't use any proprietary or non-standard algorithms.
By the way, here's a link to that "Note 4 for Category 5" that they mention.
When you submit a final version of your app to the actual App Store, you will be required to answer these questions again in App Store Connect.
Determine your Export Compliance Requirements, blah, blah...
Basically, you can say yes in the following scenarios:
Select "Yes" for this question if the encryption of your app is:
a. Specially designed for medical end-use
b. Limited to intellectual property and copyright protection
c. Limited to authentication, digital signature, or the decryption of data or files
d. Specially designed and limited for banking use or “money transactions”; or
e. Limited to “fixed” data compression or coding techniques
It's usually no problems from here on, as long as you pass the internal testing etc. Just follow the prompts when exporting / distributing to App Store.
Remember to update your Xcode settings for your build.
By the way: Consult an attorney for legal guidance if in doubt! This is only my understanding of the process.
This is from Apple's article about Complying with Encryption Export Regulations
Typically, the use of encryption that’s built into the operating system—for example, when your app makes HTTPS connections using URLSession—is exempt from export documentation upload requirements, whereas the use of proprietary encryption is not. To determine whether your use of encryption is considered exempt, see Determine your export compliance requirements.
The big thing from this quote I noticed is the term "proprietary" and the fact that HTTPS is now exempt from regulation. I believe that this also means that keychain should also not be included in this, because it is public encryption to my knowledge.
But I am very uneasy to say that the encryption you use in the app's backend is safe from the regulation givin that it could be considered as proprietary and could be considered an extension of your app, not a separate entity. Historically Apple is very willing to take down apps that they don't believe to follow their guidelines. Here is a great stack overflow question and a Reddit link you should read through to be safe the stack overflow answer seems to be very thorough. Stack Overflow and Reddit.
Sorry I couldn't help you with the third point about your backend's encryption. I hope you can find some answers that I didn't see in the links I provided though.