Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Switching from http to https in iOS App brings up Export Compliance issues when publishing

We recently decided to update a couple of our apps this summer to switch them from http to https in order to follow the new Apple guidelines which go into affect January 2017.

The only thing transferred to and from the app is product information, no user info or anything even remotely sensitive. But we want to comply early so that we don't have to worry about it later.

The question:

Apple seems to be forcing us to deal with US Export Compliance law which requires us to get an approval for an Exporter Registration Number (ERN), and a SNAP-R which requires a Company Identification Number (CIN). I think, I am no lawyer.

Now this question was somewhat answered here but that was more than 3 years ago, and if I understand what is happening, everyone who makes an http connection with their app and has it available outside the US is going through this.

If that's the case then I would would have expected a very clear explanation on what switching to https will require for most iOS app developers.

However I have not found much on this and I am confused on what the exact requirements are (if any).

Any counsel is appreciated.

like image 246
Samuel Chalvet Avatar asked Aug 18 '16 14:08

Samuel Chalvet


People also ask

Is HTTPS exempt from export compliance?

Typically, the use of encryption that's built into the operating system—for example, when your app makes HTTPS connections using NSURLSession —is exempt from export documentation upload requirements, whereas the use of proprietary encryption is not.

Does HTTPS count as encryption?

HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL). This protocol secures communications by using what's known as an asymmetric public key infrastructure.

Is HTTPS non exempt encryption?

Keep in mind that this is double negation (the app uses non exempt encryption) and to Apple, HTTPS is exempt encryption.

What does it mean to make a call to HTTPS?

Hypertext Transfer Protocol Secure (https) is a combination of the Hypertext Transfer Protocol (HTTP) with the Secure Socket Layer (SSL)/Transport Layer Security (TLS) protocol. TLS is an authentication and security protocol widely implemented in browsers and Web servers.


2 Answers

Disclaimer: These were my results after many rounds of emails with different export control team members, however these results are specific to our own apps and may not be applicable to others.

Short answer: Despite having an encrypted database using SQLCipher and using HTTPS for all of our data transfers, our apps Export Control Classification Number (ECCN) is "EAR99" meaning they do not need any US export license (no SNAP-R). Hit that publish button!

More details: My company employ a third-party company that specializes in classifying products that are meant to be exported. After finding that out I submitted all of our app information to them and they decided that we did not fall under the export control umbrella.

like image 142
Samuel Chalvet Avatar answered Oct 13 '22 23:10

Samuel Chalvet


When uploading a app to iTunes Connect it says:

If you are making use of ATS or making a call to HTTPS please note that you are required to submit a year-end self classification report to the US government

like image 2
SuprMan Avatar answered Oct 13 '22 22:10

SuprMan