Using SSL in an iPhone App - Export Compliance

I'm looking at creating an iPhone app that will communicate with a REST Web service. Because some user-sensitive data (name, address, age, etc) will be transmitted, I'm looking at securing the connections with SSL.

However, on my previous escapades into App Store submission, I saw that the first question I get asked is "Does your application use encryption?" and depending on the answer to this and other follow-up questions, may require US export compliance.

My company is not based in the US, nor do we have a US office.

Has anyone else submitted an app using SSL for this sort of purpose? If so, did you need to do anything to get permission to use it, either from Apple or from the US government?

Update as of 20th September 2016

ERN's are no longer required, so it seems many apps will no longer need to register with the US government. (Though you may still need to file a bi-annual Self-Classification Report Supp. No. 8 to Part 742 report.) http://www.bis.doc.gov/InformationSecurity2016-updates

(Thanks to @EugenioDeHoyos and @user3562927 for pointing this out!)

This third-party website may assist you in preparing your report: Self-Classification Report Generator (Another user added a link to it, I have not tried it myself.)

French Government registration is still required to sell in France.

The iTunes Connect FAQs have been updated to cover this change and are the most readable reference I've found.

Old Answer

The process has changed, as of Summer 2010, and you (probably) need an ERN now, not a CCATS as was necessary at the time John wrote his answer.

See Apple iTunes export restrictions on apps. The iTunes connect faq also contains a lot of useful information on export compliance.

There are also now restrictions that apply to distributing apps with encryption on the French app store - see the itunes connect FAQ and the French Export Compliance thread on the devforums.

Now in November 2017...

This is legal stuff really, so this is pointers to what I've found useful and how I've interpreted things. Don't take it as advice (it's not).

The Apple FAQ as mentioned in other answers here is an excellent starting place: https://itunespartner.apple.com/en/apps/faq/Managing%20Your%20Apps_Export%20Compliance

This leads to doing the following: In iTunes Connect, go to your App. Pick the 'features' tab at the top and select 'Encryption' on the side. Click 'Add Export Compliance Documentation for iOS' in the main page. First question says: 'Export Compliance: Is your app designed to use cryptography...' Choose 'Yes'. The following questions says (and I copy and paste):

> Does your app meet any of the following:
(a) Qualifies for one or more exemptions provided under category 5 part 2
(b) Use of encryption is limited to encryption within the operating system (iOS or macOS)
(c) Only makes call(s) over HTTPS
(d) App is made available only in the U.S. and/or Canada

(c) is the SSL style reference (as per your question), so select Yes to this question. [Note the bottom of the guidance on this screen has a link to the above FAQ link]

In selecting 'Yes' one of the popup-guidance box says (and I quote): > If you are making use of ATS or making a call to HTTPS please note that you are required to submit a year-end self classification report to the US government. Learn more

And back in the FAQ, a key quote is: > Why does my app require an encryption review if I don't live in the United States? Can I bypass the encryption review if I only release my app in my home country?

> Your app will be uploaded to an Apple server in the U.S., which means that your app will be exported from the U.S. and is subject to U.S. export laws. This requirement applies even if you only plan to distribute within your own country.

The last bit I think answers the 2nd bit of your question... You still have to comply even if you're not in the US and even if you don't intend to distribute outside your own country...

So, as of what I read today (in November 2017), if using SSL (HTTPS) in an iOS App, even if outside the US, boxes need to be ticked within iTunes Connect... (The process started under the 'features tab' described above). Beyond this, you then need to make an annual self classification report.

The link in the Apple FAQ relating to this is currently broken (as I write this), but this link is useful: https://www.bis.doc.gov/index.php/policy-guidance/product-guidance/high-performance-computers/223-new-encryption/1238-how-to-file-an-annual-self-classification-report

This page includes the email addresses to send your report to (you have to send it to 2 places), when it must be sent and what format and information needs to be sent (a carefully created very prescribed .csv file) I failed to find this with the bis.doc.gov search engine, but found it using a general search engine searching for 'year-end Self Classification Report'. So if this particular link dies in the future, this search might help find any replacement :)

As to details of how to craft this .csv file for an iOS App using SSL I'm not sure yet - I hope to have success and will edit this post with details if it seems appropriate.

Towards this though, in this linked doc: https://www.bis.doc.gov/index.php/documents/new-encryption/1651-740-17-enc-table/file (which you might need to zoom in to read) I figure the relevant line is the 3rd one (b)(1) as the submission requirements match. It refers to having to > submit Supp. 8, part 742, by email

This document also has an ECCN column, and I'm getting to thinking the relevant ECCN number is 5A002 dot something

This next document has more details about picking the correct ECCN code:

https://www.bis.doc.gov/index.php/documents/new-encryption/1652-cat-5-part-2-quick-reference-guide/file

Reading this my current best guess is that if SSL is being used as a small part of an App this relates to code 5A002.a.4

UPDATE:

So at the bottom of bis.doc.gov guidance the description for creating the .csv file says: > - First line of the annual self-classification report must consist of the following 12 entries: PRODUCT NAME, MODEL NUMBER, MANUFACTURER, ECCN, AUTHORIZATION TYPE, ITEM TYPE, SUBMITTER NAME, TELEPHONE NUMBER, E-MAIL ADDRESS, MAILING ADDRESS, NON-U.S. COMPONENTS, NON-U.S. MANUFACTURING LOCATIONS.

• No entry may be left blank.
• PRODUCT NAME and ECCN must be completed.
• For MODEL NUMBER and MANUFACTURER, if necessary, enter "NONE" or "N/A".
• For AUTHORIZATION TYPE, enter ENC or MMKT.
• For ITEM TYPE, pick from the list of item types provided in the Supp. 8 to Part 742 (a)(6).
• Column headers SUBMITTER NAME through NON-U.S. MANUFACTURING LOCATIONS relate to the company as a whole, and thus should be entered the same for each product (i.e., only one point of contact, one ‘YES’ or ‘NO’ answer to whether any of the reported products incorporate non-U.S. sourced encryption components, and one list of non-U.S. manufacturing locations, is required for the report). Duplicate this information into each row of the spreadsheet
• The only permitted use of a comma is the necessary separator between the 12 entries for each line item. The only commas allowed are the ones inserted automatically during spreadsheet conversion.

Using Supplement No. 8 to Part 742—Self-Classification Report for Encryption Items for further guidance, I got to a .csv file like this:

PRODUCT NAME, MODEL NUMBER, MANUFACTURER, ECCN, AUTHORIZATION TYPE, ITEM TYPE, SUBMITTER NAME, TELEPHONE NUMBER, E-MAIL ADDRESS, MAILING ADDRESS, NON-U.S. COMPONENTS, NON-U.S. MANUFACTURING LOCATIONS
[my-app-name] iOS App,[my-App-version-number],SELF,5A002,ENC,Link encryption,[My-name],[my-phone-number],[my-email],[my address with no commas],YES,[my-location]

Note that this should be well a well formed .csv file which this isn't quite. I suggest creating something in a spreadsheet and saving as a .csv

Also note that this is not an advised result - it's my best interpretation as an unqualified individual having had no advice. The example .csv at the bottom of the bis.doc.gov guidance helped me further and seemed to suggest that the ECCN could just be 5A002 without further detail. The ITEM TYPE has to be picked from the list in Supplement number 8 - something else might fit the nature of your App better. I wasn't so sure on MODEL NUMBER, but the example looked like it was using version number type descriptions. Maybe App Apple ID would be better here. Given it's optional, it might not matter...

UPDATE (Jan 2019): Finally made my submission for 2018 and went for:

PRODUCT NAME, MODEL NUMBER, MANUFACTURER, ECCN, AUTHORIZATION TYPE, ITEM TYPE, SUBMITTER NAME, TELEPHONE NUMBER, E-MAIL ADDRESS, MAILING ADDRESS, NON-U.S. COMPONENTS, NON-U.S. MANUFACTURING LOCATIONS
[my-app-name] iOS App,N/A,SELF,5A002,ENC,Link encryption,[My-name],[my-phone-number],[my-email],[my address with no commas],NO,[my-location]

The changes were to put 'N/A' as the Model Number and 'NO' for NON-U.S. COMPONENTS. 'NO' because there are no bought-in components to my App (US or NON-US) - the encryption code is just the iOS encryption library.

I actually went back to Apple and it turns out that any application using SSL does need approval (unfortunately). There are apparently some exceptions, such as if the application uses SSL only for a single payment transaction.

There is more information in Mass Market Encryption CCATS Commodity Classification for iPhone Applications in 8 Easy Steps and iPhone Encryption Export Compliance for Apps making HTTPS (TLS) Connections.

All these answers are obsolete as of September 20th, 2016. I just got off the phone with the SNAP-R folks (government), and they said that new legislation landed on September 20th. The new regulation removes the requirement to register your app simply because it uses encryption.

I described my app (a game) to them, and they said it's an "EAR-99", which means that I don't have to register. It's likely that Apple is about to update their website. But in the meantime, if you're trying to go through this process because you use SSL/HTTPS, just stop now. You won't even be successful in filling out the forms, because they have changed significantly.

I found this article from someone who went through the process recently (Dec 2015) extremely helpful. The overall consensus seems to be that you really do need to go through this process even if you are just using a REST call that utilizes SSL. This article will help you run through the process quickly.

https://carouselapps.com/2015/12/15/legally-submit-app-apples-app-store-uses-encryption-obtain-ern/

I ran across this question earlier today and thought I'd come back to report my experience.

Check out: http://tigelane.blogspot.com/2011/01/apple-itunes-export-restrictions-on.html for a procedure that worked well for me (be sure to read the whole thing including the comments -- there have been some changes since the original post, mostly for the better, and the updated info is in the comments).

The process is pretty streamlined now (except for Safari and Chrome not recognizing their own site's SSL certificate. A little ironic there. :-); I got approval about 10-15 minutes after submitting the info.

I'd guess that this has become a routine thing for them (at least if you're only using SSL rather than some kind of exotic crypto).

Because the app is setting up and using secure SSL connections it is considered an encryption product. The US export controls depend on whether you use encryption, not where you find it. It doesn't matter that you are using a built-in function instead of writing your own, using a commercial library, or using a specialized processor--it is still an encryption item.

Check out the BIS web site at www.bis.doc.gov/encryption or call the help desk at 202-482-0707 if you want to discuss the particulars of your app. If you find out you need an encryption classification then the link for the SNAPR is there too.