Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

App Export Compliance using the Dropbox API

This question (or variations of this question) has been asked before, but as Apple's export compliance rules change relatively frequently, and no one seems to ever get a straight answer, I thought I would ask.

I write an iPhone application that uses version 0.2 of the Dropbox API.

I have emailed Apple concerning use of this specific API, and I will be sure to update this question as I learn more and hear back from Apple. In the meantime, if any developer is using the Dropbox API in their iPhone application, did you mark your application as using encryption?

Edit: Upon closer inspection, it looks like the file data is also transferred using SSL. Since their API is using the NSMutableURLRequest class over HTTPS though, I still can't determine whether or not this API "uses encryption." If in the App Store submission page I mark that it does include encryption, Apple then asks if I'm using greater than a 64-bit symmetric encryption key.

like image 909
Craig Otis Avatar asked Jan 28 '11 21:01

Craig Otis


3 Answers

If your app uses SSL (HTTPS), then yes it does include encryption. The export compliance rules changed last year though, so you will need an Encryption Registration Number instead of a CCATS number. See this blog post for details.

like image 153
David Avatar answered Oct 31 '22 15:10

David


As it happens I'm working on this right now on a related project.

The Apple position is clarified in the FAQ in iTunesConnect; (my bold)

If your App contains, uses or accesses standard cryptography for purposes other than those listed in questions 2-4, you need to submit for an ERN authorization. Examples of standard encryption are: AES, SSL, https.

This authorization requires that you submit an annual report to two U.S. Government agencies with information about your App every January.

It's a pain in the neck, but that is the law if you want to be fully compliant. I'd love to hear that I'm wrong though!

PS. You could always ask for a direct opinion from the Government department concerned here;

http://www.bis.doc.gov/forms/rpdform.html

like image 3
Roger Avatar answered Oct 31 '22 17:10

Roger


You can also call the Bureau of Industry and Security help desk at 202-482-0707 or read the web site at http://www.bis.doc.gov/encryption for more information.

Discussing your question with a live person is probably going to be better than filling out the online form and waiting for a response.

like image 1
Michael Avatar answered Oct 31 '22 17:10

Michael