[pve-devel] [PATCH pve_flutter_frontend v2] chore: ios: add export compliance key to info.plist

[pve-devel] [PATCH pve_flutter_frontend v2] chore: ios: add export compliance key to info.plist

[Shan Shaji]

Every time when a new build is uploaded to appstoreconnect, the export
compliance [0] status needs to be manually selected. Since there are no
proprietary encryptions used in the app in-order to avoid manually
filling the export compliance add `ITSAppUsesNonExemptEncryption` [1]
to `Info.plist`.

- [0] https://developer.apple.com/help/app-store-connect/manage-app-information/overview-of-export-compliance
- [1] https://developer.apple.com/documentation/security/complying-with-encryption-export-regulations

References:
- https://medium.com/@thibault.jamet/navigating-export-compliance-a-flutter-developers-journey-to-the-app-store-ce7a5328f37d
- https://developer.apple.com/help/app-store-connect/reference/export-compliance-documentation-for-encryption
- https://www.reddit.com/r/FlutterDev/comments/1elm705/comment/lgyk31y/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
 changes since v1:
 - Fixed broken link inside commit message. 

 ios/Runner/Info.plist | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ios/Runner/Info.plist b/ios/Runner/Info.plist
index 9949e0f..a5587ed 100644
--- a/ios/Runner/Info.plist
+++ b/ios/Runner/Info.plist
@@ -22,6 +22,8 @@
 	<string>????</string>
 	<key>CFBundleVersion</key>
 	<string>$(FLUTTER_BUILD_NUMBER)</string>
+	<key>ITSAppUsesNonExemptEncryption</key>
+	<false/>
 	<key>LSRequiresIPhoneOS</key>
 	<true/>
 	<key>NSFaceIDUsageDescription</key>
-- 
2.50.1



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH pve_flutter_frontend v2] chore: ios: add export compliance key to info.plist

[Dominik Csapak]

I'm not a lawyer, but are you sure we are compliant with this?

the https client will use encryption, so it's not like we don't use
encryption at all.  (Especially with the cupertino_http package)

I guess this is exempt, but having some reference for that (aside
some medium/reddit post) would be nice.

At least some kind of rationale in the commit would be good.
(IMHO 'we don't use proprietary encryption' is not a good reason
when also 'standard encryption' falls under the export regulation...)

@Thomas, what do you think?

On 9/25/25 2:32 PM, Shan Shaji wrote:
> Every time when a new build is uploaded to appstoreconnect, the export
> compliance [0] status needs to be manually selected. Since there are no
> proprietary encryptions used in the app in-order to avoid manually
> filling the export compliance add `ITSAppUsesNonExemptEncryption` [1]
> to `Info.plist`.
> 
> - [0] https://developer.apple.com/help/app-store-connect/manage-app-information/overview-of-export-compliance
> - [1] https://developer.apple.com/documentation/security/complying-with-encryption-export-regulations
> 
> References:
> - https://medium.com/@thibault.jamet/navigating-export-compliance-a-flutter-developers-journey-to-the-app-store-ce7a5328f37d
> - https://developer.apple.com/help/app-store-connect/reference/export-compliance-documentation-for-encryption
> - https://www.reddit.com/r/FlutterDev/comments/1elm705/comment/lgyk31y/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
> 
> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> ---
>   changes since v1:
>   - Fixed broken link inside commit message.
> 
>   ios/Runner/Info.plist | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/ios/Runner/Info.plist b/ios/Runner/Info.plist
> index 9949e0f..a5587ed 100644
> --- a/ios/Runner/Info.plist
> +++ b/ios/Runner/Info.plist
> @@ -22,6 +22,8 @@
>   	<string>????</string>
>   	<key>CFBundleVersion</key>
>   	<string>$(FLUTTER_BUILD_NUMBER)</string>
> +	<key>ITSAppUsesNonExemptEncryption</key>
> +	<false/>
>   	<key>LSRequiresIPhoneOS</key>
>   	<true/>
>   	<key>NSFaceIDUsageDescription</key>



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH pve_flutter_frontend v2] chore: ios: add export compliance key to info.plist

[Thomas Lamprecht]

Am 26.09.25 um 11:21 schrieb Dominik Csapak:
> I'm not a lawyer, but are you sure we are compliant with this?
> 
> the https client will use encryption, so it's not like we don't use
> encryption at all.  (Especially with the cupertino_http package)

We use it, but we do not implement it, which is the key point
here.

> I guess this is exempt, but having some reference for that (aside
> some medium/reddit post) would be nice.
> 
> At least some kind of rationale in the commit would be good.
> (IMHO 'we don't use proprietary encryption' is not a good reason
> when also 'standard encryption' falls under the export regulation...)
> 
> @Thomas, what do you think?

We basically only need to check if any of the used dependencies
implements the (lower level) encryption that HTTPS builds upon
themselves, compared to using the platform libraries for that.
And doing so would be good in any case, which would be an actual
blocker for us anyway, i.e. independent of legal compliance with
app stores, as that needs to be thoroughly vetted then, and even
if we could to that (which I don't think we got the capacity to
thoroughly do for this, especially considering the ROI here),
would still need other to feel somewhat confident.

I quickly checked cupertino_http [0], and from what I saw it uses
only iOS platform native interfaces for TLS and the like, if that
holds true (please check closer), we would be indeed compliant and
can indeed signal this through setting ITSAppUsesNonExemptEncryption
flag to false.

[0]: https://github.com/dart-lang/http/tree/master/pkgs/cupertino_http/lib/src



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH pve_flutter_frontend v2] chore: ios: add export compliance key to info.plist

[Shan Shaji]

Thanks @Dominik and @Thomas for the review. AFAIU, We are currently using the `cupertino_http` 
package which internaly uses the URL LOADING SYSTEM of iOS. The URL LOADING SYSTEM [0] 
is using the platform APIs for SSL/TLS. Since it's platform APIs, in the
apple documentation they have mentioned "No documentation required in
App Store connect" [1][2]. 

However, I will do a thorough research again and will update it here. 

- [0] https://developer.apple.com/documentation/foundation/url-loading-system
- [1] https://developer.apple.com/help/app-store-connect/reference/export-compliance-documentation-for-encryption
- [2] https://developer.apple.com/documentation/security/complying-with-encryption-export-regulations

On Fri Sep 26, 2025 at 11:51 AM CEST, Thomas Lamprecht wrote:
> Am 26.09.25 um 11:21 schrieb Dominik Csapak:
>> I'm not a lawyer, but are you sure we are compliant with this?
>> 
>> the https client will use encryption, so it's not like we don't use
>> encryption at all.  (Especially with the cupertino_http package)
>
> We use it, but we do not implement it, which is the key point
> here.
>
>> I guess this is exempt, but having some reference for that (aside
>> some medium/reddit post) would be nice.
>> 
>> At least some kind of rationale in the commit would be good.
>> (IMHO 'we don't use proprietary encryption' is not a good reason

Makes sense, Sorry i should have added more details in the commit
message. Will send another patch with more details after doing some more
research on this. 

>> when also 'standard encryption' falls under the export regulation...)
>> @Thomas, what do you think?
>
> We basically only need to check if any of the used dependencies
> implements the (lower level) encryption that HTTPS builds upon
> themselves, compared to using the platform libraries for that.
> And doing so would be good in any case, which would be an actual
> blocker for us anyway, i.e. independent of legal compliance with
> app stores, as that needs to be thoroughly vetted then, and even
> if we could to that (which I don't think we got the capacity to
> thoroughly do for this, especially considering the ROI here),
> would still need other to feel somewhat confident.
>
> I quickly checked cupertino_http [0], and from what I saw it uses
> only iOS platform native interfaces for TLS and the like, if that
> holds true (please check closer), we would be indeed compliant and
> can indeed signal this through setting ITSAppUsesNonExemptEncryption
> flag to false.

Thanks thomas for checking it. I should have mentioned in the commit. We
are also using crypto package as well. So i also need to check how the
hashing algorithms are categorised in BIS. 

> [0]: https://github.com/dart-lang/http/tree/master/pkgs/cupertino_http/lib/src



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH pve_flutter_frontend v2] chore: ios: add export compliance key to info.plist

[Shan Shaji]

Hi @Thomas and @Dominik, I have done some more research on this through
the BIS documentation [0] on License Exception ENC and Category 5, Part 2 [1]. 

AFAIU, 

- Since we are using TLS/SSL encryption we are under 5A002/5D002.
  Our app comes under mass market [2] so it further classfies it under
  5A992/5D992. After March 29, 2021 mass market software doesn't need to
  provide a self classification report [3]. Also since we are using the
  platform APIs provided by iOS which are already exported by Apple
  for SSL/TLS and not implementing any encryptions by ourselves  
  i believe we don't need to do anything from our side. 

- For the crypto package that we are using doesn't likely fall under 5A002/5D002 as
  it's not used for confidentiality rather we are using it for data integrity. 
  So i believe it should likely fall under ECCN 5D992 (Mass Market).
  Also the source code of the package is publicly available and SHA-256
  is a standared algorithm. 

- For `biometric_storage`, the package internaly uses the platform APIs
  that are available in iOS [4]. Since it's using the already exported iOS
  interfaces i believe we should be fine there as well. 

- [0] https://www.bis.doc.gov/index.php/encryption-and-export-administration-regulations-ear 
- [1] https://www.bis.doc.gov/index.php/documents/new-encryption/1652-cat-5-part-2-quick-reference-guide/file
- [2] https://www.bis.doc.gov/index.php/policy-guidance/encryption/3-license-exception-enc-and-mass-market/a-mass-market (Paragraph a)
- [3] https://www.bis.doc.gov/index.php/documents/pdfs/2759-table-of-changes-to-enc-in-wa2019-rule-final-version/file (Table Reference)
- [4] https://github.com/authpass/biometric_storage/blob/main/macos/Classes/BiometricStorageImpl.swift   

So IMHO, i think it's safe to update the ` ITSAppUsesNonExemptEncryption` key
to false. WDYT?


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH pve_flutter_frontend v2] chore: ios: add export compliance key to info.plist

[Thomas Lamprecht]

Am 29.09.25 um 14:51 schrieb Shan Shaji:
> Hi @Thomas and @Dominik, I have done some more research on this through
> the BIS documentation [0] on License Exception ENC and Category 5, Part 2 [1]. 
> 
> AFAIU, 
> 
> - Since we are using TLS/SSL encryption we are under 5A002/5D002.
>   Our app comes under mass market [2] so it further classfies it under
>   5A992/5D992. After March 29, 2021 mass market software doesn't need to
>   provide a self classification report [3]. Also since we are using the
>   platform APIs provided by iOS which are already exported by Apple
>   for SSL/TLS and not implementing any encryptions by ourselves  
>   i believe we don't need to do anything from our side. 
> 
> - For the crypto package that we are using doesn't likely fall under 5A002/5D002 as
>   it's not used for confidentiality rather we are using it for data integrity. 
>   So i believe it should likely fall under ECCN 5D992 (Mass Market).
>   Also the source code of the package is publicly available and SHA-256
>   is a standared algorithm. 
> 
> - For `biometric_storage`, the package internaly uses the platform APIs
>   that are available in iOS [4]. Since it's using the already exported iOS
>   interfaces i believe we should be fine there as well. 
> 
> - [0] https://www.bis.doc.gov/index.php/encryption-and-export-administration-regulations-ear 
> - [1] https://www.bis.doc.gov/index.php/documents/new-encryption/1652-cat-5-part-2-quick-reference-guide/file
> - [2] https://www.bis.doc.gov/index.php/policy-guidance/encryption/3-license-exception-enc-and-mass-market/a-mass-market (Paragraph a)
> - [3] https://www.bis.doc.gov/index.php/documents/pdfs/2759-table-of-changes-to-enc-in-wa2019-rule-final-version/file (Table Reference)
> - [4] https://github.com/authpass/biometric_storage/blob/main/macos/Classes/BiometricStorageImpl.swift   
> 
> So IMHO, i think it's safe to update the ` ITSAppUsesNonExemptEncryption` key
> to false. WDYT?

That seems to be a safe conclusion with enough due diligence to back it up.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH pve_flutter_frontend v2] chore: ios: add export compliance key to info.plist

[Shan Shaji]

superseded by v3: https://lore.proxmox.com/pve-devel/20250930084852.39176-1-s.shaji@proxmox.com/T/#u


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel