i am using React Native with Firebase and i am trying to upload app to testflight to Itunes Connect. The encryption question popped up and i have no idea what to select. I did some research on ATS and encryption. I am assuming that firebase is using HTTPS calls ? If that is so, then i need to probably select that i am using encryption. In which case i am asked, if i qualify for exempt or not.
I have truly no idea what these options mean and if any of that applies to me. It seems rather over complicated, which would be ok, but i have hard time understanding what applies to me.
I mean this sentence seems about right:
"Limited to authentication, digital signature, or the decryption of data or files"
But maybe i am missing something ?
or this:
"Limited to “fixed” data compression or coding techniques"
Limited to coding techniques ? No idea.
So if i have basic app using Firebase for storing data about user/authentication etc am i using HTTPS ? Also am i then exempt or am i supposed to send them year-end file which i have no idea what means ?
On top of it React Native official documentation mentions that you are supposed to allow ATS, meaning you would definitely have to say you are using encryption, but then does not mention anything about encryption. Here under Enable App Transport Security Link
I will welcome any explanation whatsoever as i feel kinda lost here. Thanks
So your question is a bit off. ATS is an enforcement technique Apple uses to try to ensure any network connections your app make are protected using HTTPS (and other more rigorous requirements, like TLS version, forward secrecy, etc.). So ATS will try to force you to use HTTPS. Whether your React Native app actually uses HTTPS is up to you to know.
Basically, you can have ATS enabled, but add an exception to the one domain your app comminucates to allow the app to make those calls using HTTP. In that case, your app does not use encryption, so you can answer no to that question.
However, if you access any network resource with using the https protocol, you have encryption, but it qualifies as an exempt form of encryption.
You can simply add the following to your Info.plist:
<key>ITSAppUsesNonExemptEncryption</key>
<false/>
Unfortunately, that is not all. However, the good news is that if you are just using https, you will have a simpler process than if you are doing your own encryption / decryption.
As you can see in this page, you only need to submit a self classification report. It's relatively easy and you don't need to provide any additional documentation to Apple.
Your app uses ATS or makes a call to HTTPS:
No documentation required in App Store Connect. Submit a Self Classification Report to the U.S. Bureau of Industry and Security (BIS) directly.
Also, you can find more information about submitting that BIS form here: https://stackoverflow.com/a/45888609/3708242