Disclaimer: I am not a lawyer. This is not legal advice. I am not a encryption expert. If you are in doubt, do your own due diligence. I’m confident that “I read it on the internet and they said it was OK” will not be a good defence if the NSA kicks down your door and hauls you away for cyber crimes. I am trying to keep this up to date, but this stuff changes often so it’s worth double checking. If you notice anything wrong or out of date, please let me know. Thanks!
Update January 2023: According to this document on the BIS website, the reporting requirements for mass market items have been changed. My current understanding is that if your app uses any encryption that is included with iOS, or https, then you no longer need to send a report.
Yesterday, after uploading an app for beta testing, I received this message in iTunesConnect for the first time:
If you are making use of ATS or making a call to HTTPS please note that you are required to submit a year-end self classification report to the US government.