4

I'm getting ready to finally deploy my first iPhone app. The app uses SSL to connect to a REST web service. While reading the docs on deploying the app to the app store, I came across some drivel regarding having to go through a 30 - 60 day government vetting process just to ship an app that simply connects to an HTTPS server.

My question is, since this is an export requirement, do apps that are only distributed in the US face this same restriction?

Thanks

Steve
  • 2,678
  • 8
  • 40
  • 54
  • This is a duplicate of this question: http://stackoverflow.com/questions/2135081/does-my-application-contain-encryption – Brad Larson Mar 13 '10 at 14:52
  • And also this one: http://stackoverflow.com/questions/2128927/using-ssl-in-an-iphone-app-export-compliance – Brad Larson Mar 13 '10 at 14:54
  • 2
    Actually, it doesn't duplicate either of those questions, since I'm specifically asking about US distribution only. I had already looked at those prior to posting this, but since they didn't address the US-only issue they were of no help. – Steve Mar 15 '10 at 20:16

3 Answers3

2

According to The Animail, yes, you have to go through export compliance, even if you only make an HTTPS connection in your app.

Note this part, though, which may ease your pain:

The only relief that Apple can offer is that if you agree (in written) to go through with the CCATS process and you've already submitted your application to the Government, Apple lets you start selling your app in the U.S. and Canada, adding more countries in a second step and finally opening all for sale when approval is obtained.

Perhaps Apple will be satisfied with the same written promise to only distribute in the U.S. and allow you to sell without the export review, but I'd definitely check with Apple and not assume anything.

Zetetic has an extensive post that explains the entire process for obtaining export certification.

Steve Madsen
  • 13,465
  • 4
  • 49
  • 67
  • The deployment process allows you to specify which stores the app can be sold in. If I just allow it to be sold in the US store, shouldn't that be sufficient to say that I'm not exporting the app? – Steve Mar 12 '10 at 21:35
  • No. You have to answer that you are using encryption, and then you'll be given the option to state you are using a limited form of encryption and only going to sell it in a subset of stores. – Kendall Helmstetter Gelner Mar 12 '10 at 22:53
  • I thought they relaxed it for 128-bit/256-bit keys though? According to globalsign etc. that is the case. – Lee Mar 13 '10 at 07:53
  • Steve: Once Apple approves your app, what stops you from changing the stores? Lee: The U.S. may have relaxed the bit limitations, but that doesn't mean they will let you export cryptographic software without reviewing a licensing it. Before, the answer for large bit keys was always "no," now it's simply "maybe." – Steve Madsen Mar 13 '10 at 19:28
  • 5
    I got a response from DTS @ Apple regarding this issue. It turns out that you *do not* have to do the CCATS things if you're only deploying to the US and/or Canada (which is all we're doing for now). In order to expand to other markets, you have to go through the CCATS process. When deploying your app to the store, you need to include a document that states that you're only deploying to the US/Canada, and you can only select those countries on the App Store, but for us this is huge. – Steve Mar 15 '10 at 20:14
2

The short answer is no, if you are not exporting from the United States you should not have to get an encryption review for you app. But not because it isn't considered encryption. The app is an encryption item if the app uses encryption and you have to dig a little deeper. It doesn't matter that you call routines built into the phone to do the encrypting instead of providing the code.

The reason is because if you are only selling your app within the U.S. then it is not an export. If you are selling it into Canada then it is an export to Canada, but since the U.S. allows the export of national security controlled encryption items (NS1) to Canada without a license, you don't have to get authorization for Canada.

For more info see 15 CFR part 738, Supplement 1, and look up Canada. Better yet, check out the Bureau of Industry and Security's web site at http://www.bis.doc.gov/encryption

And if you still have questions you can call the BIS help desk at 202-482-0707.

Rob W
  • 341,306
  • 83
  • 791
  • 678
Michael
  • 171
  • 1
  • 3
0

Obviously, I am not a lawyer - important caveat. The US relaxed export restrictions over 10 years ago now. Also, technically, your software is using HTTPS and the phone is doing the encryption (as in, the library in CocoaTouch), not your software.

Technically your software has no encryption - unless you actually put any in on top. You are, i'm guessing, passing plain text to the Apple provided library and it is doing the rest.

Lee
  • 2,204
  • 13
  • 15
  • Thats correct. I am not doing any encryption other than creating an HTTPS PUT with a plain text payload and sending that to my server. – Steve Mar 12 '10 at 21:09
  • 2
    It doesn't matter if your software is using built in libraries or not. – Kendall Helmstetter Gelner Mar 12 '10 at 22:54
  • This appears to be correct from the Gov't standpoint. But since I'm not exporting, it doesn't apply to my app. According to Apple, I only need to go through the process if I plan to deploy outside the US/Canada. Since I don't plan to go outside the US/Canada, my app is released from this restriction. – Steve Mar 15 '10 at 20:19
  • Steve, I appreciate this question you've posted. Could you follow up to explain if you were successful or not in getting your app released? – Erik Hermansen Aug 02 '10 at 05:48
  • 1
    We got into the review process, and the CCATS did not cause us any problems. We got rejected for other reasons (i.e. Apple didn't like the fact that we were building a survey application, which they randomly decided that they don't want on the iPhone). But the CCATS process did not apply to us, because we were only deploying to the US, and we filed the form letter with Apple stating that we were not exporting. – Steve Aug 19 '10 at 19:41