iPhone and Crypto Libraries

Question

I think I'm going to have to use the Crypto libraries in my iPhone application. I wanted to ask you about the implications regarding the crypto export policy applied by Apple. Do I need to do something extra (such as filling forms etc.)

1) If I use hashing with MD5.

2) If I use symmetric encryption.

Thanks,

Answer 1

EDIT

In December 2009, after this answer was written, the EAR was amended. I have not since that time participated in an export compliance assessment. My cursory reading on the relevant documents suggests that what used to be the "ancillary computing" exemption is now narrower, but there are still several exemptions in the requirements for an ERN. See @JosephH's answer for the location of the FAQ on iTunesConnect. Most importantly read the EAR Controls for Items That Use Encryption FAQ at BIS to understand the phrase "classified under Category 5, Part 2 of the EAR."

The answer below may no longer be informative after Dec 2009.

---

I am not a lawyer, nor do I deal with export compliance full-time, but I have had to deal with the issues extensively and can point you to the original materials so you can see for yourself. If you have concerns, you should contact a lawyer familiar Export Compliance.

US export restrictions relate to the exporter, not to the author. Apple in this case is the exporter, which is why they want the author to provide them information about what they are exporting.

If you are using system libraries, than neither you nor Apple is exporting cryptography when downloading your app. The system libraries were exported when the iPhone itself was sold, or when Apple provided a software update. That has nothing to do with you.

Cryptography of the class you're discussing only has restrictions when exported to Country Group E:1 countries (Cuba, Iran, Libya, North Korea, Syria, and Sudan). These countries are excluded by Apple.

You are explicitly exempt from review if your product falls into the "Ancillary Cryptography" category. This is defined as "not primarily useful for computing (including the operation of 'digital computers'), communications, networking (includes operation, administration, management and provisioning) or 'information security'" and includes as examples:

• Piracy and theft prevention for software, music, etc.
• Games and gaming
• Household utilities and appliances
• Printing, reproduction, imaging and video recording or playback
• Business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery)
• Industrial, manufacturing or mechanical systems (e.g., robotics, heavy equipment, facilities systems such as fire alarm, HVAC)
• Automotive, aviation, and other transportation systems

"Ancillary Cryptography" might be read here as "cryptography is used by your program, but encryption is not its point." US export regulations are interested in technologies that can be repurposed into new products that might be used against the US government.

Opensource cryptographic libraries have a broad exemption as long as they are not knowingly exported to Class E:1 countries.

This is all a very long winded (though still extremely cursory) way of saying "don't worry about it; click the applicable options that Apple provides."

For the full, gory details, go to the Commercial Encryption Export Controls site of the US BIS. Of particular interest are the Encryption Checklist Instructions.

Answer 2

Apple have a lot of information about this in itunes connect, which appear to directly conflict with Rob Napier's answer, and the generally accepted answer seems to be that you need to apply for an ERN if you are using standard cryptography, and a CCATS if you are using non-standard cryptography (unless you fall into the exemptions, which most people don't).

Goto:

https://itunesconnect.apple.com/

login, hit 'faq' and then 'World Wide Trade Compliance for the App Store'.

(Sorry, there doesn't appear to be a way to link directly to the page.)