App Store RejectionGuideline 5.1.1Data Collection and Storage — Encryption

Apple Found Unencrypted Data in Your App. Here's How to Fix It.

Transmitting user data over plain HTTP, storing passwords in NSUserDefaults, or logging sensitive info to the console are all flags that will get you rejected under 5.1.1. These are fixable — and fixing them protects your users too.

What Apple said

Your app transmits user data over an unencrypted connection. Apps that handle sensitive user information must use HTTPS for all network communication. Additionally, sensitive data must not be stored in plaintext on the device. Please update your app to ensure all user data is properly protected.

What this actually means

Apple requires that any sensitive information — passwords, health data, financial data, personally identifiable information — travels over HTTPS and is stored securely on-device. If your app uses HTTP for any API calls, stores tokens in plaintext, or logs sensitive data, reviewers (and Apple's automated tooling) will catch it. This protects your users and is increasingly table stakes.

What Apple needs to see

  • All network requests using HTTPS with valid TLS certificates — no HTTP endpoints for any user data
  • Passwords and tokens stored in the iOS Keychain, not UserDefaults or flat files
  • No sensitive data written to logs, analytics events, or crash reporters
  • A privacy policy at a stable URL (like yourapp.baseterms.com/privacy) that accurately describes your encryption practices
  1. 1Audit your networking layer and replace every HTTP URL with HTTPS — use App Transport Security to enforce this
  2. 2Migrate any credentials or tokens stored in UserDefaults to the iOS Keychain immediately
  3. 3Search your codebase for print() and NSLog() calls that might be outputting user data and remove them
  4. 4Enable Instruments' Network profiler and verify no plaintext sensitive data appears in any request payload
  5. 5Update your privacy policy on yourapp.baseterms.com/privacy to accurately document how you encrypt and store user data

While you're at it — Apple also requires these pages for every app.

Fix this rejection, then make sure you're covered on the compliance side too. Apple requires every app to link to a hosted Privacy Policy, Terms of Service, Support page, and Data Deletion page. No link means another rejection — just for a different reason.

Privacy Policy
Terms of Service
Support Page
Data Deletion Page
Generate my compliance pages — FREE

Common questions

My app uses a third-party SDK — could that be causing the HTTP issue?
Absolutely. Third-party SDKs, especially older ad networks or analytics tools, sometimes make HTTP calls. Use a network proxy like Charles or Proxyman to inspect all traffic from your app, including traffic from embedded SDKs.
Is storing data in Core Data considered encrypted?
Not by default. Core Data stores data in an SQLite file that is not encrypted unless you enable the NSFileProtectionComplete attribute. For truly sensitive data, encrypt it before storing or use the Keychain.
How do I tell Apple I've fixed the encryption issues?
Reply in the Resolution Center explaining specifically what you changed — mention that all endpoints now use HTTPS, that tokens are stored in Keychain, and link to your updated privacy policy. Be specific; vague responses often lead to another review cycle.