Using Ssl in an Iphone App - Export Compliance

Using SSL in an iPhone App - Export Compliance

Update as of 20th September 2016

ERN's are no longer required, so it seems many apps will no longer need to register with the US government. (Though you may still need to file a bi-annual Self-Classification Report Supp. No. 8 to Part 742 report.) http://www.bis.doc.gov/InformationSecurity2016-updates

(Thanks to @EugenioDeHoyos and @user3562927 for pointing this out!)

This third-party website may assist you in preparing your report: Self-Classification Report Generator (Another user added a link to it, I have not tried it myself.)

French Government registration is still required to sell in France.

The iTunes Connect FAQs have been updated to cover this change and are the most readable reference I've found.

Old Answer

The process has changed, as of Summer 2010, and you (probably) need an ERN now, not a CCATS as was necessary at the time John wrote his answer.

See Apple iTunes export restrictions on apps. The iTunes connect faq also contains a lot of useful information on export compliance.

There are also now restrictions that apply to distributing apps with encryption on the French app store - see the itunes connect FAQ and the French Export Compliance thread on the devforums.

Does my application contain encryption?

UPDATE: Using HTTPS is now exempt from the ERN as of late September, 2016

https://stackoverflow.com/a/40919650/4976373

---

Unfortunately, I believe that your app "contains encryption" in terms of US BIS even if you just use HTTPS (if your app is not an exception included in question 2).

Quote from FAQ on iTunes Connect:

"How do I know if I can follow the Exporter Registration and Reporting (ERN) process?

If your app uses, accesses, implements or incorporates industry standard encryption algorithms for purposes other than those listed as exemptions under question 2, you need to submit for an ERN authorization. Examples of standard encryption are: AES, SSL, https. This authorization requires that you submit an annual report to two U.S. Government agencies with information about your app every January.
"

"2nd Question: Does your product qualify for any exemptions provided under category 5 part 2?

There are several exemptions available in US export regulations under Category 5 Part 2 (Information Security & Encryption regulations) for applications and software that use, access, implement or incorporate encryption.

All liabilities associated with misinterpretation of the export regulations or claiming exemption inaccurately are borne by owners and developers of the apps.

You can answer “YES” to the question if you meet any of the following criteria:

(i) if you determine that your app is not classified under Category 5, Part 2 of the EAR based on the guidance provided by BIS at encryption question. The Statement of Understanding for medical equipment in Supplement No. 3 to Part 774 of the EAR can be accessed at Electronic Code of Federal Regulations site. Please visit the Question #15 in the FAQ section of the encryption page for sample items BIS has listed that can claim Note 4 exemptions.

(ii) your app uses, accesses, implements or incorporates encryption for authentication only

(iii) your app uses, accesses, implements or incorporates encryption with key lengths not exceeding 56 bits symmetric, 512 bits asymmetric and/or 112 bit elliptic curve

(iv) your app is a mass market product with key lengths not exceeding 64 bits symmetric, or if no symmetric algorithms, not exceeding 768 bits asymmetric and/or 128 bits elliptic curve.

Please review Note 3 in Category 5 Part 2 to understand the criteria for mass market definition.

(v) your app is specially designed and limited for banking use or ‘money transactions.’ The term ‘money transactions’ includes the collection and settlement of fares or credit functions.

(vi) the source code of your app is “publicly available”, your app distributed at free of cost to general public, and you have met the notification requirements provided under 740.13.(e).

Please visit encryption web page in case you need further help in determining if your app qualifies for any exemptions.

If you believe that your app qualifies for an exemption, please answer “YES” to the question."

UIWebView, SSL and export compliance

As long as you are not using any third party security API (SSL, encryption, ...) you do not need other extra compliance than the Apple's approval to submit the application on Appstore.

The Apple's security API is not the best I have seen (quite not documented and painful to work with if you ask me) but you don't really need anything from it if what you are trying to do is a simple SSL connection.

If the server you are trying to connect to uses a certificate from a valid CA (not a self-signed certificate) than implementing username/password authentication is as simple as implementing one delegate method in which you would provide user's input.

-(void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
     NSString *username = [binding.authenticationProperties objectForKey:kClientUsername];
     NSString *password = [binding.authenticationProperties objectForKey:kClientPassword];
     newCredential=[NSURLCredential credentialWithUser:username
                                              password:password
                                           persistence:NSURLCredentialPersistenceForSession];
     [[challenge sender] useCredential:newCredential forAuthenticationChallenge:challenge];
}

Self-signed certificates and two-way SSL might be tricker on the other hand, but I guess this is not what you are asking for :)

I hope this answers your question.

regards

Appstore - Export compliance as an individual?

Just use the same name under which yours apps appear in the app store.

You have probably seen this.. but this guy is an individual developer who went through the process.

http://tigelane.blogspot.com/2011/01/apple-itunes-export-restrictions-on.html

---

Related Topics