Encryption App approval from Apple

Question

I created an app for storing username/passwords etc using publicly available AES256 encryption algorithm. I didn't write this code just copied and pasted it from the web and included it in my app.

- (NSData *)AES256EncryptWithKey:(NSString *)key
- (NSData *)AES256DecryptWithKey:(NSString *)key 

Now for the million dollar question. What kind of approval process do I need to go through in order to get this app approved. There are about just as many answers on the web as there are leaves in a jungle. Some say don't need it, other say you have to go through a 50-60 day cycle with US Gov approval.

If anyone has used this kind of encryption in their app before then please do let me know what I need to do to successfully get this app approved through Apple gate keepers. Thank you

Answer 1

(First off: this doesn't constitute real legal advice.)

The reason why it's hard to get a clear answer to this is that the answers are actually very case dependent, and as a vendor who is choosing to export your software internationally, it's you who is on the hook for making a determination, and complying with government regulations. It's easy to assume this should all be turnkey and simple since Apple has made it trivial for developers to sell their wares internationally, but the government doesn't see it that way-- you're an independent software vendor who is exporting functionality that might have regulatory implications.

This is not about Apple gatekeeping or approval. Export compliance is not part of the "app review" itself. Apple is sort of there as check on it since they're your distributor, but their motivation in this case is government compliance, not making judgments and approving/rejecting you-- they don't want to be in the business of forensic law enforcement. Apple will almost certainly take you at your word, whatever you say, but if you're found later to be out of compliance, they reserve the right to kick you.

Go through the wizard on app submission. If you say that crypto has changed, it will then ask you a series of pretty specific questions about what your crypto does, and if necessary will ask you to submit an ERN, or possibly a CCATS thing. There is a FAQ here.

The bad news: What you're doing probably requires you to declare the crypto. There are exemptions, but they're for pretty specific types of product rather than kind of implementation (the US BIS web site, and the Apple wizard will specify them). Simply using system APIs or publicly known crypto algorithms isn't a protection against it. (Do people do this ALL THE TIME without registering it? Of course they do. You could too, if you want.)

The good news: If what you need is an ERN, this has become a VERY streamlined, automated process in the last year or so. You can do it online, and be done with it within hours. Follow this blog post: http://tigelane.blogspot.com/2011/01/apple-itunes-export-restrictions-on.html Some cases may still require the full CCATS process, which may be more convoluted.