Export Compliance in iOS App Submission

Question

I making a new app and want to submit to app store.

But at the time of final submission there is check for Export Compliance.

What should I Check Yes Or No.

I use https url in my app.

Please Help Me .

Thanks In Advance.

Answer 1

When you know that you ARE export compliant you can put this in your Info.plist:

<key>ITSAppUsesNonExemptEncryption</key>
<false/>

This will prevent App Store Connect from asking you questions about export compliance.

Answer 2

If you are using https in your application, you will need to answer yes to this question, even if all you are using is built in mechanisms to communicate over https. The good news is that you no longer need to get the Encryption Registration Number (ERN) - the current requirements (as of August 2017) are that you just need to submit the annual self classification report to the BIS(Bureau of Industry and Security). To submit a self classification report, follow the instructions on item 13 in this FAQ: A sample Self Classification report can be found here.

For a great write up that talks about both sides of the story (apps that only use common / freely available encryption, like SSL, as well as apps that have their own, proprietary encryption, see this Medium post.

Please don't listen to other people who state that they just answer no to this question to make things easier when submitting an app.

Answer 3

As of February 2018 this is the process to file an Annual Self Classification Report to BIS (Bureau of Industry and Security):

https://www.bis.doc.gov/index.php/policy-guidance/product-guidance/high-performance-computers/223-new-encryption/1238-how-to-file-an-annual-self-classification-report

Answer 4

To get a ECCN (Export Control Classification Number) for a HTTPS mass market iOS app follow, these steps.

Download the quick reference guide to classify your app. https://www.bis.doc.gov/index.php/documents/new-encryption/1652-cat-5-part-2-quick-reference-guide/file

For a basic HTTPS iOS app used to securely access a webpage or transfer a file use
5D992 which is Information Security” “software” not controlled by 5D002.

If your app contains more encryption functionality, then reference the policy guide. https://www.bis.doc.gov/index.php/policy-guidance/encryption

Might not be what you want to hear, but you will need to review the policy and correctly categorize the app and get the correct ECCN.

Now go to the SNAP-R form. https://snapr.bis.doc.gov/snapr/ To get to the form from the BIS homepage. https://www.bis.doc.gov/index.php Then select Licensing -> Simplified Network Application Process Redesign (SNAP-R)

Register Online for a SNAP-R account. https://snapr.bis.doc.gov/registration/Register.do The Bureau of Industy and Security will return a CIN application ID quickly via email.

Return to the main SNAP-R page with the CIN issued number and login.

Select "Create Work Item "

The Type will be "Commodity Classification Request"

Reference number is 7 digits. I used my phone number.

Create

Fill in Contact Information. Leave License Information Blank

Fill in Company Designation any info missing. When you created the CIN this info was requested.

Other Party can be left blank. Now for each app you want to register, fill in a Export Item and press Add Export Item. Multiple apps can be submitted on the same request.

ECCN will be 5D992

APP can be left blank. It is the Adjusted Peak Performance"("APP") which for a commodity iOS app is not required.

Product/Model is the name of the app in the App Store.

CCATS can be left blank.

Manufacturer is your company name.

Technical Description - briefly describe the apps function and how HTTPS is leverage. Keep it simple. They are interested if the app is a security risk and how encryption is used.

example: AppName is distributed as an Apple iOS App. It uses HTTPS to download/upload daily updates to and from xxxx. The download is used to generate a table. An In-App .99 cent purchase expands the table results to include xxxx.

Additional information explains in more detail how HTTPS has been implemented.

The HTTPS file transfer is a URLSession data transfer task found in the Apple Foundation library. The iPhone automatically performs the download of the published data in csv file format, using the HTTPS protocol for a secure transfer.

Make sure you saved all your drafts. Check for errors. Then submit.

The turnaround is pretty fast. Mine took around an hour. But I am sure it varies.

The other option is once a year you can submit an Annual Self Classification Report. But if you have a SNAP-R CCATS number you are not required to submit a Annual Self Classification Report.

https://www.bis.doc.gov/index.php/policy-guidance/encryption/4-reports-and-reviews/a-annual-self-classification This is very simple. Download the sample csv file. Delete out the sample data leaving the headings. The heading are required. Fill in the columns. The column Authorization Type is MMKT. Item type Other: HTTPS File Transfer. Save the file and submit.

The BIS SNAP-R hotline [202-482-4811 DC, 949-660-0144 CA] and the Encryption Hotline for the annual submission [202-482-0707] are both very helpful. Last point, the BIS has helpful set of YouTube video. https://www.bis.doc.gov/index.php/online-training-room

Hope this helps.

Answer 5

From Complying with Encryption Export Regulations: Declare Your App’s Use of Encryption:

Typically, the use of encryption that’s built into the operating system—for example, when your app makes HTTPS connections using URLSession—is exempt from export documentation upload requirements, whereas the use of proprietary encryption is not. To determine whether your use of encryption is considered exempt, see Determine your export compliance requirements.

So Apple says that for usual HTTPS scenarios, you do not need to upload export documentation for your app.