CCATS needed for non-export iPhone app?

Question

I'm getting ready to finally deploy my first iPhone app. The app uses SSL to connect to a REST web service. While reading the docs on deploying the app to the app store, I came across some drivel regarding having to go through a 30 - 60 day government vetting process just to ship an app that simply connects to an HTTPS server.

My question is, since this is an export requirement, do apps that are only distributed in the US face this same restriction?

Thanks

Answer 1

The short answer is no, if you are not exporting from the United States you should not have to get an encryption review for you app. But not because it isn't considered encryption. The app is an encryption item if the app uses encryption and you have to dig a little deeper. It doesn't matter that you call routines built into the phone to do the encrypting instead of providing the code.

The reason is because if you are only selling your app within the U.S. then it is not an export. If you are selling it into Canada then it is an export to Canada, but since the U.S. allows the export of national security controlled encryption items (NS1) to Canada without a license, you don't have to get authorization for Canada.

For more info see 15 CFR part 738, Supplement 1, and look up Canada. Better yet, check out the Bureau of Industry and Security's web site at http://www.bis.doc.gov/encryption

And if you still have questions you can call the BIS help desk at 202-482-0707.

Answer 2

According to The Animail, yes, you have to go through export compliance, even if you only make an HTTPS connection in your app.

Note this part, though, which may ease your pain:

The only relief that Apple can offer is that if you agree (in written) to go through with the CCATS process and you've already submitted your application to the Government, Apple lets you start selling your app in the U.S. and Canada, adding more countries in a second step and finally opening all for sale when approval is obtained.

Perhaps Apple will be satisfied with the same written promise to only distribute in the U.S. and allow you to sell without the export review, but I'd definitely check with Apple and not assume anything.

Zetetic has an extensive post that explains the entire process for obtaining export certification.

Answer 3

Obviously, I am not a lawyer - important caveat. The US relaxed export restrictions over 10 years ago now. Also, technically, your software is using HTTPS and the phone is doing the encryption (as in, the library in CocoaTouch), not your software.

Technically your software has no encryption - unless you actually put any in on top. You are, i'm guessing, passing plain text to the Apple provided library and it is doing the rest.