Encryption App approval from Apple

Question

I created an app for storing username/passwords etc using publicly available AES256 encryption algorithm. I didn't write this code just copied and pasted it from the web and included it in my app.

- (NSData *)AES256EncryptWithKey:(NSString *)key
- (NSData *)AES256DecryptWithKey:(NSString *)key 

Now for the million dollar question. What kind of approval process do I need to go through in order to get this app approved. There are about just as many answers on the web as there are leaves in a jungle. Some say don't need it, other say you have to go through a 50-60 day cycle with US Gov approval.

If anyone has used this kind of encryption in their app before then please do let me know what I need to do to successfully get this app approved through Apple gate keepers. Thank you

Answer 1

Good-day, I've found this itunes support page, as of today these are the new policy/rules:

If the BIS says an ERN is no longer required, why is Apple still asking for it?

The Bureau of Industry and Security (BIS) recently published changes to the encryption regulations which can be viewed here.

Encryption Registrations (ERN) are no longer required prior to exporting. In lieu of obtaining an ERN prior to export, BIS now requires a year-end Self Classification Report. Consistent with these regulatory changes, Apple has simplified the export compliance review process and will no longer require developers to upload an ERN.

If you do not qualify for the exemptions, Apple requires that you provide a brief written statement confirming that you understand your legal obligations to submit a year-end self classification report required by BIS. You will be asked to upload a file during app upload, after you have answered all of the applicable export compliance questions.

reference: https://itunespartner.apple.com/en/apps/faq/Managing%20Your%20Apps_Export%20Compliance

Answer 2

I didn't do any long ERN, or CCATS processing. App got approved in 5 days.

CORRECTION: Actually it was pure dumb luck that my app was approved. I didn't mention in my app description that I had AES 256 encryption in my app. If you don't mention that then the app will get approved without any additional paperwork. If you do then get ready for a long drawn out process. Apple doesn't have anyway to check if your app has / has not any encryption. Its up to you to declare it or not.

Answer 3

(First off: this doesn't constitute real legal advice.)

The reason why it's hard to get a clear answer to this is that the answers are actually very case dependent, and as a vendor who is choosing to export your software internationally, it's you who is on the hook for making a determination, and complying with government regulations. It's easy to assume this should all be turnkey and simple since Apple has made it trivial for developers to sell their wares internationally, but the government doesn't see it that way-- you're an independent software vendor who is exporting functionality that might have regulatory implications.

This is not about Apple gatekeeping or approval. Export compliance is not part of the "app review" itself. Apple is sort of there as check on it since they're your distributor, but their motivation in this case is government compliance, not making judgments and approving/rejecting you-- they don't want to be in the business of forensic law enforcement. Apple will almost certainly take you at your word, whatever you say, but if you're found later to be out of compliance, they reserve the right to kick you.

Go through the wizard on app submission. If you say that crypto has changed, it will then ask you a series of pretty specific questions about what your crypto does, and if necessary will ask you to submit an ERN, or possibly a CCATS thing. There is a FAQ here.

The bad news: What you're doing probably requires you to declare the crypto. There are exemptions, but they're for pretty specific types of product rather than kind of implementation (the US BIS web site, and the Apple wizard will specify them). Simply using system APIs or publicly known crypto algorithms isn't a protection against it. (Do people do this ALL THE TIME without registering it? Of course they do. You could too, if you want.)

The good news: If what you need is an ERN, this has become a VERY streamlined, automated process in the last year or so. You can do it online, and be done with it within hours. Follow this blog post: http://tigelane.blogspot.com/2011/01/apple-itunes-export-restrictions-on.html Some cases may still require the full CCATS process, which may be more convoluted.

Answer 4

I believe you have nothing to do.

For further information on the US export controls, I suggest skimming the answers on https://softwareengineering.stackexchange.com/q/127809/25885 for links to the different agencies and what notifications or permissions they require before exporting software outside the United States.

In general, if you're using system-supplied APIs without introducing any new cryptography code yourself, you ought to be completely in the clear. (At least, I haven't heard any counter-examples to this logic nor read anything to contradict it.)