Menu
I'm looking at creating an iPhone app that will communicate with a REST Web service. Because some user-sensitive data (name, address, age, etc) will be transmitted, I'm looking at securing the connections with SSL.
However, on my previous escapades into App Store submission, I saw that the first question I get asked is "Does your application use encryption?" and depending on the answer to this and other follow-up questions, may require US export compliance.
My company is not based in the US, nor do we have a US office.
Has anyone else submitted an app using SSL for this sort of purpose? If so, did you need to do anything to get permission to use it, either from Apple or from the US government?
659
Typically, the use of encryption that's built into the operating system—for example, when your app makes HTTPS connections using NSURLSession —is exempt from export documentation upload requirements, whereas the use of proprietary encryption is not.
App Uses Non-Exempt Encryption : No If you are making use of ATS or making a call to HTTPS, you are required to submit a year-end self classification report to the US government. Export laws require that products containing encryption must be properly authorized for export.
Export compliance, therefore, refers to the act of complying with these regulations. It is the legal obligation of organizations to comply with all export regulations and rules that are relevant and applicable to the jurisdictions where they conduct business.
SSL (HTTPS/TLS) is still encryption and unless you are using it just for authentication, then you should get the proper approval.
Update as of 20th September 2016
ERN's are no longer required, so it seems many apps will no longer need to register with the US government. (Though you may still need to file a bi-annual Self-Classification Report Supp. No. 8 to Part 742 report.) http://www.bis.doc.gov/InformationSecurity2016-updates
(Thanks to @EugenioDeHoyos and @user3562927 for pointing this out!)
This third-party website may assist you in preparing your report: Self-Classification Report Generator (Another user added a link to it, I have not tried it myself.)
French Government registration is still required to sell in France.
The iTunes Connect FAQs have been updated to cover this change and are the most readable reference I've found.
Old Answer
The process has changed, as of Summer 2010, and you (probably) need an ERN now, not a CCATS as was necessary at the time John wrote his answer.
See Apple iTunes export restrictions on apps. The iTunes connect faq also contains a lot of useful information on export compliance.
There are also now restrictions that apply to distributing apps with encryption on the French app store - see the itunes connect FAQ and the French Export Compliance thread on the devforums.
153
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
