Submit self classification report to the US government?

In the Apple’s App Store Connect it says:

If you are making use of ATS or making a call to HTTPS, you are required to submit a year-end self classification report to the US government.

How seriously should we take this? What kind of code should we use e.g. for the ECCN in the report?

I would appreciate some guidance on this question.

Friedo this also caused me great consternation. I had to do a lot of research on this to understand it but here is the long and the short of it.

The first question is no if you have no calls to https:// in your app. That means 1) no sound files linked from the internet. If you have sound in your app you have to make the call to the sound file via https://, which is an encrypted connection, which is exactly what this is asking about. If you have downloadable sound files, say Yes. Also 2) if you have a call to https:// in, for example, your About page, same, you say Yes. The last one I can think of is 3) if you use analytics, that calls to https, so you use encryption.

If you have an app that has no sound files, analytics, or links to https, however, you can say no. If you do say yes, the next question is something like “are you exempt…”, and you can say yes to that based on the types of apps SAB makes. Then you just have to do self-reporting on your encrypted apps.

To self-report, grab this spreadsheet. Fill in with your info. Save as csv format. Then email the report to and You just have to do this once a year, usually in January.


  • Is this overly complicated and seemingly useless? Yes.
  • Do most people do it? No.
  • Is it the law to do it this way? Unfortunately yes, as far as I can tell, even if you are not in the US and your main users are not in the US, because most of the servers are in the US.

For more on this report, this is a good starting place. (EDIT After I posted I saw that page is a duplicate of the page you linked to above.)

Corey_Garrett, thanks a lot for replying so soon!

So it seems from the info from the sample spreadsheets that our apps should be classified as 5A992.c or 5D992 (ECCN) and MMKT (authorization type).
Well, it’s not too difficult then. Might do it next year since the deadline for 2020 has passed anyway…