Using SSL in an iPhone App - Export Compliance
Solution 1
Update as of 20th September 2016
ERN's are no longer required, so it seems many apps will no longer need to register with the US government. (Though you may still need to file a bi-annual Self-Classification Report Supp. No. 8 to Part 742 report.) http://www.bis.doc.gov/InformationSecurity2016-updates
(Thanks to @EugenioDeHoyos and @user3562927 for pointing this out!)
This third-party website may assist you in preparing your report: Self-Classification Report Generator (Another user added a link to it, I have not tried it myself.)
French Government registration is still required to sell in France.
The iTunes Connect FAQs have been updated to cover this change and are the most readable reference I've found.
Old Answer
The process has changed, as of Summer 2010, and you (probably) need an ERN now, not a CCATS as was necessary at the time John wrote his answer.
See Apple iTunes export restrictions on apps. The iTunes connect faq also contains a lot of useful information on export compliance.
There are also now restrictions that apply to distributing apps with encryption on the French app store - see the itunes connect FAQ and the French Export Compliance thread on the devforums.
Solution 2
Now in November 2017...
This is legal stuff really, so this is pointers to what I've found useful and how I've interpreted things. Don't take it as advice (it's not).
The Apple FAQ as mentioned in other answers here is an excellent starting place: https://itunespartner.apple.com/en/apps/faq/Managing%20Your%20Apps_Export%20Compliance
This leads to doing the following: In iTunes Connect, go to your App. Pick the 'features' tab at the top and select 'Encryption' on the side. Click 'Add Export Compliance Documentation for iOS' in the main page. First question says: 'Export Compliance: Is your app designed to use cryptography...' Choose 'Yes'. The following questions says (and I copy and paste):
Does your app meet any of the following:
(a) Qualifies for one or more exemptions provided under category 5 part 2
(b) Use of encryption is limited to encryption within the operating system (iOS or macOS)
(c) Only makes call(s) over HTTPS
(d) App is made available only in the U.S. and/or Canada
(c) is the SSL style reference (as per your question), so select Yes to this question. [Note the bottom of the guidance on this screen has a link to the above FAQ link]
In selecting 'Yes' one of the popup-guidance box says (and I quote):
If you are making use of ATS or making a call to HTTPS please note that you are required to submit a year-end self classification report to the US government. Learn more
And back in the FAQ, a key quote is:
Why does my app require an encryption review if I don't live in the United States? Can I bypass the encryption review if I only release my app in my home country?
Your app will be uploaded to an Apple server in the U.S., which means that your app will be exported from the U.S. and is subject to U.S. export laws. This requirement applies even if you only plan to distribute within your own country.
The last bit I think answers the 2nd bit of your question... You still have to comply even if you're not in the US and even if you don't intend to distribute outside your own country...
So, as of what I read today (in November 2017), if using SSL (HTTPS) in an iOS App, even if outside the US, boxes need to be ticked within iTunes Connect... (The process started under the 'features tab' described above). Beyond this, you then need to make an annual self classification report.
The link in the Apple FAQ relating to this is currently broken (as I write this), but this link is useful: https://www.bis.doc.gov/index.php/policy-guidance/product-guidance/high-performance-computers/223-new-encryption/1238-how-to-file-an-annual-self-classification-report
This page includes the email addresses to send your report to (you have to send it to 2 places), when it must be sent and what format and information needs to be sent (a carefully created very prescribed .csv file) I failed to find this with the bis.doc.gov search engine, but found it using a general search engine searching for 'year-end Self Classification Report'. So if this particular link dies in the future, this search might help find any replacement :)
As to details of how to craft this .csv file for an iOS App using SSL I'm not sure yet - I hope to have success and will edit this post with details if it seems appropriate.
Towards this though, in this linked doc: https://www.bis.doc.gov/index.php/documents/new-encryption/1651-740-17-enc-table/file (which you might need to zoom in to read) I figure the relevant line is the 3rd one (b)(1) as the submission requirements match. It refers to having to
submit Supp. 8, part 742, by email
This document also has an ECCN column, and I'm getting to thinking the relevant ECCN number is 5A002 dot something
This next document has more details about picking the correct ECCN code:
Reading this my current best guess is that if SSL is being used as a small part of an App this relates to code 5A002.a.4
UPDATE:
So at the bottom of bis.doc.gov guidance the description for creating the .csv file says:
- First line of the annual self-classification report must consist of the following 12 entries: PRODUCT NAME, MODEL NUMBER, MANUFACTURER, ECCN, AUTHORIZATION TYPE, ITEM TYPE, SUBMITTER NAME, TELEPHONE NUMBER, E-MAIL ADDRESS, MAILING ADDRESS, NON-U.S. COMPONENTS, NON-U.S. MANUFACTURING LOCATIONS.
- No entry may be left blank.
- PRODUCT NAME and ECCN must be completed.
- For MODEL NUMBER and MANUFACTURER, if necessary, enter "NONE" or "N/A".
- For AUTHORIZATION TYPE, enter ENC or MMKT.
- For ITEM TYPE, pick from the list of item types provided in the Supp. 8 to Part 742 (a)(6).
- Column headers SUBMITTER NAME through NON-U.S. MANUFACTURING LOCATIONS relate to the company as a whole, and thus should be entered the same for each product (i.e., only one point of contact, one ‘YES’ or ‘NO’ answer to whether any of the reported products incorporate non-U.S. sourced encryption components, and one list of non-U.S. manufacturing locations, is required for the report). Duplicate this information into each row of the spreadsheet
- The only permitted use of a comma is the necessary separator between the 12 entries for each line item. The only commas allowed are the ones inserted automatically during spreadsheet conversion.
Using Supplement No. 8 to Part 742—Self-Classification Report for Encryption Items for further guidance, I got to a .csv file like this:
PRODUCT NAME, MODEL NUMBER, MANUFACTURER, ECCN, AUTHORIZATION TYPE, ITEM TYPE, SUBMITTER NAME, TELEPHONE NUMBER, E-MAIL ADDRESS, MAILING ADDRESS, NON-U.S. COMPONENTS, NON-U.S. MANUFACTURING LOCATIONS
[my-app-name] iOS App,[my-App-version-number],SELF,5A002,ENC,Link encryption,[My-name],[my-phone-number],[my-email],[my address with no commas],YES,[my-location]
Note that this should be well a well formed .csv file which this isn't quite. I suggest creating something in a spreadsheet and saving as a .csv
Also note that this is not an advised result - it's my best interpretation as an unqualified individual having had no advice. The example .csv at the bottom of the bis.doc.gov guidance helped me further and seemed to suggest that the ECCN could just be 5A002 without further detail. The ITEM TYPE has to be picked from the list in Supplement number 8 - something else might fit the nature of your App better. I wasn't so sure on MODEL NUMBER, but the example looked like it was using version number type descriptions. Maybe App Apple ID would be better here. Given it's optional, it might not matter...
UPDATE (Jan 2019): Finally made my submission for 2018 and went for:
PRODUCT NAME, MODEL NUMBER, MANUFACTURER, ECCN, AUTHORIZATION TYPE, ITEM TYPE, SUBMITTER NAME, TELEPHONE NUMBER, E-MAIL ADDRESS, MAILING ADDRESS, NON-U.S. COMPONENTS, NON-U.S. MANUFACTURING LOCATIONS
[my-app-name] iOS App,N/A,SELF,5A002,ENC,Link encryption,[My-name],[my-phone-number],[my-email],[my address with no commas],NO,[my-location]
The changes were to put 'N/A' as the Model Number and 'NO' for NON-U.S. COMPONENTS. 'NO' because there are no bought-in components to my App (US or NON-US) - the encryption code is just the iOS encryption library.
Solution 3
I actually went back to Apple and it turns out that any application using SSL does need approval (unfortunately). There are apparently some exceptions, such as if the application uses SSL only for a single payment transaction.
There is more information in Mass Market Encryption CCATS Commodity Classification for iPhone Applications in 8 Easy Steps and iPhone Encryption Export Compliance for Apps making HTTPS (TLS) Connections.
Solution 4
All these answers are obsolete as of September 20th, 2016. I just got off the phone with the SNAP-R folks (government), and they said that new legislation landed on September 20th. The new regulation removes the requirement to register your app simply because it uses encryption.
I described my app (a game) to them, and they said it's an "EAR-99", which means that I don't have to register. It's likely that Apple is about to update their website. But in the meantime, if you're trying to go through this process because you use SSL/HTTPS, just stop now. You won't even be successful in filling out the forms, because they have changed significantly.
Solution 5
I found this article from someone who went through the process recently (Dec 2015) extremely helpful. The overall consensus seems to be that you really do need to go through this process even if you are just using a REST call that utilizes SSL. This article will help you run through the process quickly.
https://carouselapps.com/2015/12/15/legally-submit-app-apples-app-store-uses-encryption-obtain-ern/
Related videos on Youtube
01 : 35
22 : 59
03 : 25
01 : 25
05 : 37
01 : 30
03 : 02
01 : 30
13 : 39
10 : 23
John
Updated on July 28, 2020Comments
-
John over 3 years
I'm looking at creating an iPhone app that will communicate with a REST Web service. Because some user-sensitive data (name, address, age, etc) will be transmitted, I'm looking at securing the connections with SSL.
However, on my previous escapades into App Store submission, I saw that the first question I get asked is "Does your application use encryption?" and depending on the answer to this and other follow-up questions, may require US export compliance.
My company is not based in the US, nor do we have a US office.
Has anyone else submitted an app using SSL for this sort of purpose? If so, did you need to do anything to get permission to use it, either from Apple or from the US government?
-
Dan P. almost 9 yearsDid you end up using an ERN or a CCATS?
-
zaph over 7 yearsNote: There were substantial changes to the BIS EAR Septrmber 20, 2016, see the answer by @user3562927. Most registrations are no longer necessary.
-
-
jww about 10 yearsIt also depends on the use of cryptography. If you are only using cryptography for authentication, then you don't need an export license from the Department of Commerce. SoeNULLcipher suites are OK (but I'm not sure how useful they are). -
DevC over 9 yearsThe second link is dead now.
-
andrewb about 9 yearsFirst link is dead as well
-
Mike over 8 yearslinks dead, both of them
-
zaph over 7 years
-
Eugenio De Hoyos over 7 yearsI just went through this as well. The SNAP-R online application does not allow you to create an "Encryption Registration" Work Item anymore. I also spoke with them on the phone and they told me that as of Sept 20, the registration is no longer needed. You still need to classify your app via Apple as using encryption, but you do not need to fill out additional "Encryption Registration" anymore.
-
Eugenio De Hoyos over 7 yearsNotice the line, "Encryption Registrations no longer required – some of the information from the registration now goes into the Supp. No. 8 to Part 742 report." in the following BIS update summary: bis.doc.gov/InformationSecurity2016-updates
-
Eugenio De Hoyos over 7 yearsAs of Sept 20, 2016, this is NO LONGER accurate. You do not need to register via US BIS anymore, but you still need to classify your app as using encryption via Apple. See @user3562927 's answer below, and see this document, particularly "Encryption Registrations no longer required – some of the information from the registration now goes into the Supp. No. 8 to Part 742 report." bis.doc.gov/InformationSecurity2016-updates
-
JosephH over 7 years@EugenioDeHoyos Great, thanks for pointing this out! I've updated my answer.
-
Giorgio Daino over 7 yearsyes, but will we need to submit an expanded “self-classification report” (on an annual basis) or request a classification from BIS? (argh...) -
Eugenio De Hoyos over 7 yearsThanks @JosephH! and thanks for the original answer as well :)
-
chriskilding over 7 yearsCould you clarify what you mean by filing the bi-annual Supp. No. 8 to Part 742 report? If we do not have to register any more, how and where do we send the report to?
-
JosephH over 7 years@user1475135 Not really, I haven't yet spent to time to try and decipher it all. The updated reporting requirements are detailed in federalregister.gov/documents/2016/09/20/2016-21544/…
-
user1568901 almost 7 years@JosephH I'm not finding full reporting requirements in the Wassenaar link. Appears to redirect one to CFR 742.15. That then has 2 e-mail addresses, but you have to send them encryption source code, which one won't even have if using a library (such as for TLS)... What am I missing here?
-
user1568901 almost 7 yearsFrom what I'm reading at this time it appears that even without registration required (via the exception), if you use TLS you need to do that self-classification report annually... bis.doc.gov/index.php/policy-guidance/encryption/… - "An annual self-classification report is a requirement for items exported under License Exception ENC - 740.17(b)(1), UNLESS a Commodity Classification (CCATS) has been submitted for the item."
-
JosephH almost 7 years@BrianKnoblauch See bis.doc.gov/index.php/documents/regulation-docs/… section 'SUPPLEMENT NO. 8 TO PART 742 -- SELF-CLASSIFICATION REPORT FOR ENCRYPTION ITEMS' for the details of the CSV file that should be emailed. It's still not entirely clear to me when you do / don't need to submit such a report. I suspect it's likely that a lot of people that should do so are not doing so.
-
Bob Spryn almost 7 yearsThere's a great new article speaking to the 2016 update. Might be good to add to this since it's the accepted answer: medium.com/@cossacklabs/…
-
JosephH almost 7 years@BobSpryn Thanks for the link - I've had a read and I'm not convinced that's too helpful unless a) you're using Themis (which most apps don't) /and/ b) your app is free or opensource. Did I misunderstand? I have added the link to the Apple documentation which is now actually quite helpful looking.
-
Bob Spryn almost 7 yearsI think it also addresses apps just using https, but the new apple FAQ is the most definitive source now. 👍🏼
-
Ronny Elflein r11lein over 6 yearsThanks for UPDATE: I'll go now with<App name>, <App Sku>, SELF, 5D002, MMKT, Other (iOS App), <Your name>, <Your phone number>, <Your email>, <Your home address>, no, n/aas suggested here simonfairbairn.com/bis-year-end-self-classification-report ECCN = 5D002 because SSL is OpenSource AUTHORIZATION TYPE = MMKT because i hope for "mass market" ^^ ITEM TYPE = (xlix) Other (please specify). -
Theo about 6 yearsIt seems like
5D992is appropriate for most mass market apps that just use cryptography components like SSL, and not5D002(see "Note 3 to Category 5, Part 2"). -
isJulian00 about 5 yearsif you select "yes" for the first 2 questions when appstoreConnect ask you if "Does your app use encryption" and "does your app qualify for any of the exemptions" it lets you "start internal testing" , and it doesn't mention anything about registering anything with the french government ? @JosephH
-
JosephH about 5 years@izzyMachado The link I provide to the Apple documentation at help.apple.com/app-store-connect/#/devc3f64248f is the best thing to read. Obviously I would suggest you only answer "yes" to the "does your app quality for any of the exemptions" if your app actually qualifies for the exemptions. It looks like, if your app meets the criteria for exemption French paperwork is not required.
-
isJulian00 about 5 yearsdoes anybody know if we select YES for non-u.s. components if we use , the inMobi advertising SDK (company is based out of singapore but has offices in the U.S ) ?
-
isJulian00 about 5 years@Marcus what non-u.s components was your app using ?
-
isJulian00 about 5 years@JosephH do you know if the InMobi SDK (inmobi.com/sdk) would count as "Non-U.S component" since the company is established in Singapore ?
-
Marcus about 5 years@izzyMachado I figured my whole app is non-u.s as it was developed and compiled in the UK which is why I thought YES in the 'non-u.s. components' column. I might be wrong though...
-
Marcus about 5 years@izzyMachado Actually, thank you for flagging this up. I think I need to put in 'NO' as it's all part of my App - not an external bought-in component.
-
isJulian00 about 5 years@Marcus no problem !
-
Peter T. about 5 yearsSome explanation of ECCN (5A002 vs 5D002 vs 5D992) is in wikipedia en.wikipedia.org/wiki/… ... more or less understandable ... -
Peter T. about 5 yearsCan anyone explain in words understandable by a non-lawyer the difference between ECCN 5A002, 5D002 and 5D992, and between ENC and MMKT, and how to decide which is the right one for an app that simply uses https to communicate to a server?
-
bluish about 5 yearsUnfortunately the link is broken
-
RRN about 5 yearsI think many people actually ignore this...I mean to submit a Self-Classification Report to us gov.
-
Mattias over 4 yearsHey guys, I've now submit a Self-Classification Report and sent it to BIS. Does anyone know approximately how long time it takes for them to reach back? Can't go further until they have approved it so that I can attach the approval to apple, right?
-
Mattias over 4 yearsHey guys, I've now submit a Self-Classification Report and sent it to BIS. Does anyone know approximately how long time it takes for them to reach back? Can't go further until they have approved it so that I can attach the approval to apple, right?
-
Marcus over 4 years@Mattias As of about a year ago: I did not expect to get, or get a reply from BIS. I did not need to attach anything to Apple, I simply had to declare to Apple that I accepted the responsibility to inform BIS. In fact I made my submission to Apple before sending my Report to BIS.
-
Mattias over 4 years@Marcus I'm confused, for me it says "To make your app available on the App Store, you must submit a copy of your U.S. Commodity Classification Automated Tracking System (CCATS) approval from the U.S. Bureau of Industry and Security (BIS" and then it wants me to attach a file, how do I get through this if they never respond? :/
-
Mattias over 4 yearsOkay thanks a lot it's working now, I answered no on a question where I was supposed to answer yes!
-
Robin Manoli over 4 yearsI'd use this line from the sample: XtraGood Client App,1xx,PDQ123,Software Services LLC,5D992,MMKT,mobility and mobile applications n.e.s.,Jane Smith,(202) 555-0000,[email protected],555 Elm St. Washington DC 22032,NO Shenzhen China Amsterdam Nethelands -- in other words the model number seems to be the app version number
-
sceee over 3 yearsRegarding the "still required French Government registration", is it only required if you sell items (for money)? Or is it something similar to the US Self-Classification report you anyway need to do even with free apps? Where can I find more information? I did search but only find things about VAT numbers and the "French Export compliance thread on the devforums" link is dead.
-
JosephH over 3 years@sceee yes, it's an import requirement, it doesn't make any difference whether it's a free or paid app. The iTunes Connect FAQ was pretty comprehensive last time I checked.
