1

I finished my app and want to release it in the App Store. I have to check for Export Compliance. When I dived into this topic im finding many resources with different contexts about what when to do or not to do. It’s not clear to me if I need to do do a year-end self classification report to the US government. I’m searching for app developers who already submitted apps recently.

https://developer.apple.com/documentation/security/complying_with_encryption_export_regulations#3145067

„If your app uses, accesses, contains, implements, or incorporates encryption, this is considered an export of encryption software, which means your app is subject to U.S. export compliance requirements, as well as the import compliance requirements of the countries where you distribute your app.“

I have a platform app where users are signing up for an account to be able to use the app. They can login with their credentials. The authentication process is done by my backend server which uses JWT for the Authentication flow and it encrypts the users login in the backend. Also its saying:

Typically, the use of encryption that’s built into the operating system—for example, when your app makes HTTPS connections using URLSession—is exempt from export documentation upload requirements, whereas the use of proprietary encryption is not. To determine whether your use of encryption is considered exempt, see Determine your export compliance requirements.

So as of what I understand, I dont have to do the self reporting since its [..] Limited to authentication, digital signature, or the decryption of data or files [...] right?

https://developer.apple.com/help/app-store-connect/manage-app-information/overview-of-export-compliance

Examples of apps requiring an export compliance determination include, but aren’t limited to, apps that use:

  • Standard encryption algorithms.
  • Crypto functionality within Apple’s operating system.
  • Proprietary or non-standard encryption algorithms. The U.S. Government defines "non-standard cryptography" as any implementation of "cryptography" involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body(e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and GSMA) and have not otherwise been published.

I assume the second and third point of this overview is both regarding to crypto apps only, those points doesn’t tell me anything. But the definition of „Standard encryption algorithms“ isn’t clear at all.

Also im not sure what exactly is important for the self report to the US. Government. Any help to this whole topic is highly appreciated. Greetings.

Marcel Dz
  • 2,321
  • 4
  • 14
  • 49
  • Does this https://stackoverflow.com/q/45855629/2894790 answer you question? Since I assume you are using Apple or open source encryption for JWT, typically you need to file an annual self-classification report, from the previous stackoverflow link this medium post explains this thoroughly https://medium.com/@cossacklabs/apple-export-regulations-on-crypto-6306380682e1 – Christos Koninis May 16 '23 at 18:21
  • hey there, thank you for the information. i already saw that SO post on my research but i wasnt sure if its outdated. As a non native its still not clear for me if i have to file an annual self-classification report and i developed the app which needs to be released. going further threw the medium link i have no hint if it falls under the classification report and following the links on how it should look like i have no idea about WHAT i have to self report in the file.. – Marcel Dz May 17 '23 at 12:49

0 Answers0