Does my application contain encryption

Question

I m uploading a binary for the first time  iTunes Connect has asked me      Export laws require that products containing encryption be properly authorized for export    Failure to comply could result in severe penalties    For further information  click here    Does your product contain encryption    I use https     but only via NSURLConnection and UIWebView   My reading of this is that my app doesn t  contain encryption   but I m wondering if this is spelled out anywhere   Severe penalties  doesn t sound pleasant at all  so  I think that s right  is a bit sketchy    an authoritative answer would be better   Thanks

User · Answer

If you re not explicitly using an encryption library  or rolling your own encryption code  then I think the answer is  no

User · Answer

Found some of these answers very useful  but wanted to add this URL for completeness since it walks you through the questions   https   itunespartner apple com en apps faq Managing 20Your 20Apps Export 20Compliance 21109148

User · Answer

As of September 20th  2016  registering is no longer required for apps that use https  or perhaps other forms of encryption   https   web archive org web 20170312060607 https   www bis doc gov index php informationsecurity2016-updates  In fact  on SNAP-R you can no longer choose  encryption registration     Specifically  they note      Encryption Registrations no longer required     some of the information   from the registration now goes into the Supp  No  8 to Part 742   report    This means you may need to send an annual report to BIS  but you don t need to register and you can note when submitting your app that it is exempt

User · Answer

Yes  according to iTunes Connect Export Compliance Information screens  if you use built-in iOS or MacOS encryption  keychain  https   you are using encryption for purposes of US Government Export regulations  Whether you qualify for an export compliance exemption depends on what your app does and how it uses this encryption  Attached images show the iTunes Connect Export Compliance Screens to help you determine your export reporting obligations  In particular  it states       If you are making use of ATS or making a call to HTTPS please note that you are required to submit a year-end self classification report to the US government  Learn more

User · Answer

I found this FAQ from the US Bureau of Industry and Security very helpful.

encryption

Question 15 (What is Note 4?) is the important point:

...

Examples of items that are excluded from Category 5, Part 2 by Note 4 include, but are not limited to, the following:

Consumer applications. Some examples:

piracy and theft prevention for software or music; music, movies, tunes/music, digital photos – players, recorders and organizers games/gaming – devices, runtime software, HDMI and other component interfaces, development tools LCD TV, Blu-ray / DVD, video on demand (VoD), cinema, digital video recorders (DVRs) / personal video recorders (PVRs) – devices, on-line media guides, commercial content integrity and protection, HDMI and other component interfaces (not videoconferencing); printers, copiers, scanners, digital cameras, Internet cameras – including parts and sub-assemblies household utilities and appliances

User · Answer

I asked Apple the very same question and got the answer  from a Sr  Export Compliance Specialist   that  sending information over https is forcing the data to go through a secure channel from SSL  therefore it falls under the U S  Government requirement for a CCATS review and approval   Note that it doesn t matter that Apple has already done this for their SSL implementation  but for the government  if you USE encryption that is the same  to them  as you would ve coded it yourself  I also updated our blog  http   blog theanimail com  since Tim linked to it with updates and details on the process  Hope that helps

User · Answer

UPDATE  Using HTTPS is now exempt from the ERN as of late September  2016 https   stackoverflow com a 40919650 4976373  Unfortunately  I believe that your app  quot contains encryption quot  in terms of US BIS even if you just use HTTPS  if your app is not an exception included in question 2   Quote from FAQ on iTunes Connect   quot How do I know if I can follow the Exporter Registration and Reporting  ERN  process  If your app uses  accesses  implements or incorporates industry standard encryption algorithms for purposes other than those listed as exemptions under question 2  you need to submit for an ERN authorization  Examples of standard encryption are  AES  SSL  https  This authorization requires that you submit an annual report to two U S  Government agencies with information about your app every January   quot   quot 2nd Question  Does your product qualify for any exemptions provided under category 5 part 2  There are several exemptions available in US export regulations under Category 5 Part 2  Information Security  amp  Encryption regulations  for applications and software that use  access  implement or incorporate encryption  All liabilities associated with misinterpretation of the export regulations or claiming exemption inaccurately are borne by owners and developers of the apps  You can answer    YES    to the question if you meet any of the following criteria   i  if you determine that your app is not classified under Category 5  Part 2 of the EAR based on the guidance provided by BIS at encryption question  The Statement of Understanding for medical equipment in Supplement No  3 to Part 774 of the EAR can be accessed at Electronic Code of Federal Regulations site  Please visit the Question  15 in the FAQ section of the encryption page for sample items BIS has listed that can claim Note 4 exemptions   ii  your app uses  accesses  implements or incorporates encryption for authentication only  iii  your app uses  accesses  implements or incorporates encryption with key lengths not exceeding 56 bits symmetric  512 bits asymmetric and or 112 bit elliptic curve  iv  your app is a mass market product with key lengths not exceeding 64 bits symmetric  or if no symmetric algorithms  not exceeding 768 bits asymmetric and or 128 bits elliptic curve  Please review Note 3 in Category 5 Part 2 to understand the criteria for mass market definition   v  your app is specially designed and limited for banking use or    money transactions     The term    money transactions    includes the collection and settlement of fares or credit functions   vi  the source code of your app is    publicly available     your app distributed at free of cost to general public  and you have met the notification requirements provided under 740 13  e   Please visit encryption web page in case you need further help in determining if your app qualifies for any exemptions  If you believe that your app qualifies for an exemption  please answer    YES    to the question  quot

User · Answer

Short answer  Yes  but you don t have to do anything  I was searching the web for this for some hours  Actually it is pretty easy and you can verify this in itunes connect   1  All you have to do  If your app uses only HTTPS or uses encryption only for authentication  tokens  etc   there is nothing you have to do  just include   lt key gt ITSAppUsesNonExemptEncryption lt  key gt  lt false  gt    in your Info plist and you are done   2  Verification  You can verify this in itunes connect    select your app chose features chose encryption click     follow the dialog for https or authentication the answer is yes and yes   In any case you should of course read yourself carefully through the dialog     A very helpful article can be found here   https   www cocoanetics com 2017 02 itunes-connect-encryption-info

User · Answer

All of this can be very confusing for an app developer that's simply using TLS to connect to their own web servers. Because ATS (App Transport Security) is becoming more important and we are encouraged to convert everything to https - I think more developers are going to encounter this issue.

My app simply exchanges data between our server and the user using the https protocol. Seeing the words "USES ENCRYPTION" in the disclaimers is a bit scary so I gave the US government office a call at their office and spoke to a representative of the Bureau of Industry and Security (BIS) http://www.bis.doc.gov/index.php/about-bis/contact-bis.

The representative asked me about my app and since it passed the "primary function test" in that it had nothing to do with security/communications and simply uses https as a channel for connecting my customer data to our servers - it fell in the EAR99 category which means it's exempt from getting government permission (see https://www.bis.doc.gov/index.php/licensing/commerce-control-list-classification/export-control-classification-number-eccn)

I hope this helps other app developers.

User · Answer

If you use the Security framework or CommonCrypto libraries provided by Apple you do include crypto in your App and you have to answer yes - so simply because libraries were provided by Apple does not take you off the hook.

With regards to the original question, recent posts in the Apple Development Forums lead me to believe that you need to answer yes even if all you use is SSL.

User · Answer

Simple answers are Yes App has encryption  and Yes App uses Exempt encryption   In my application  I am just opening my company s website in WKWebView but as it uses  https   it will be considered as exempt encryption  Apple document for more info  https   developer apple com documentation security complying with encryption export regulations language objc  Alternatively  you can just add key  ITSAppUsesNonExemptEncryption  and value  NO  in your app s info plist file  and this way iTunes connect won t ask you that questions anymore  More info  https   developer apple com documentation bundleresources information property list itsappusesnonexemptencryption language objc  You can follow these 3 simple steps to verify if your application is exempt or not  https   help apple com app-store-connect   dev63c95e436  You may need to submit this annual-self-classification to US gov  For more info  https   www bis doc gov index php policy-guidance encryption 4-reports-and-reviews a-annual-self-classification

User · Answer

I had a lab with App Review team  WWDC20   My questions were   My app is making calls through HTTPS only  Should I select Yes or No  Should I send report to the US government if my app available in Germany only  doesn t available in the USA    Answers   If you just use HTTPS you can select No  The answer on the second question was unclear  Helpful link Looks like yes if you re using custom encryption

User · Answer

It s not hard to get approval for your app the proper way   SSL  HTTPS TLS  is still encryption and unless you are using it just for authentication  then you should get the proper approval   I just received approval  and my app is in the store now for something that uses SSL to encrypt data traffic  not just authentication      Here is a blog entry I made so that others can do this the proper way   apple itunes export restrictions

User · Answer

hisnameisjimmy is correct  You will notice  at least as of today  Dec 1st 2016  when you go to submit your app for review and reach the Export Compliance walkthrough  you ll notice the menu now states that HTTPS is an exempt version of encryption  if you use it for every call

User · Answer

The instructions to complete the 2020 SNAP-R forms can be found at this link. Also the Annual Self Classification Report instructions are updated for 2020.

https://stackoverflow.com/a/61431496/1217670

[iphone] Does my application "contain encryption"?

The answer is

Examples related to iphone

Examples related to encryption

Examples related to app-store

Tags