Monday, January 17, 2011

Apple iTunes export restrictions on apps

I recently went through the process of building an app for the iTunes app store that used SSL (HTTPS) encryption.  While this seems trivial, it's not.  Depending on where you go, and what you read you might think you don't need to do anything.  That's wrong.  If you application uses encryption (including SSL and HTTPS, possible other public domain encryption) then you need to get at least get an ERN before submitting your app to Apple for approval.

I believe there was some rule changes in May 2010 that made this possible.  Prior to these changes, you would have had to get a CCATS for your application.  I originally did the full CCATS process, but it was not approved, and they in their own words told me to use this method.

Here is what I did.

Read all the steps before you do this:
1.  Go to this link and use his instructions.  This is a great post:  (thank you jcesar)
2. Do step 1 and 2 for all cases.  If you built your own encryption mechanism, that follow the entire post.  If you used SSL or other public domain encryption, then you can stop after you have your SNAP-R account.
3.  Go to the SNAP-R login site and login:
4.  Click "Create Work Item"
5.  Select "Encryption Registration"

6.  Most if it will be filled out for you.  Add this information to the "Additional Information" field.  I made this up, so your milage will vary.

7. Then attach a document that looks like this one for Encryption Registration Supplement No. 5 to Part 742
Control Policy—CCL Based Controls Supplement No. 5 to Part 742--page 1
Export Administration Regulations June 25, 2010
Certain classification requests and self-classification reports for encryption items must be supported by an encryption registration, i.e., the information as described in this Supplement, submitted as a support documentation attachment to an application in accordance with the procedures described in §§ 740.17(b), 740.17(d), 742.15(b), 748.1, 748.3 and Supplement No. 2 to part 748 of the EAR.
(1) Point of Contact Information
(a) Contact Person
Tige Phillips
(b) Telephone Number
(c) Fax Number
(d) E-mail address
(e) Mailing Address
xxxx E. General Road 
Somewhere, OR 9xxxx
(2) Company Overview (approximately 100 words)
I am an individual developer of software.  The software I create typically falls into one of two categories: Business related, where it would interact with systems created by Cisco Systems, or Recreation software that would be simple fun programs for use by individuals.  For development I use openly available development platforms from Apple Computers and other manufactures.  Creating software is a hobby, not my primary profession.
(3) Identify which of the following categories apply to your company’s technology/families of products:
(a) Wireless
(i) 3G cellular
(ii) 4G cellular/WiMax/LTE
(iii) Short-range wireless / WLAN
(iv) Satellite
(v) Radios
(vi) Mobile communications, n.e.s.
(b) Mobile applications
(c) Computing platforms
(d) Multimedia over IP
(e) Trusted computing
(f) Network infrastructure
(g) Link layer encryption
(h) Smartcards or other identity management
(i) Computer or network forensics
(j) Software
Yes:  I only create software.
(i) Operating systems
(ii) Applications
(k) Toolkits / ASICs / components
(l) Information security including secure storage
(m) Gaming
(n) Cryptanalytic tools
(o) “Open cryptographic interface” (or other support for user-supplied or non-standard cryptography)
(p) Other (identify any not listed above)
(q) Not Applicable (Not a producer of encryption or information technology items)
(4) Describe whether the products incorporate or use proprietary, unpublished or non-standard cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body. (If unsure, please explain)
My products do not use any proprietary, unpublished or non-standard cryptographic functionality.  I only use standards based encryption that can be found on the Internet.  Standards based Secure Socket Layer (SSL) encryption is an example of what I use.  I also only use encryption mechanisms that are available in development platforms by companies like Apple Computers.
(5) Will your company be exporting “encryption source code”?
(6) Do the products incorporate encryption components produced or furnished by non-U.S. sources or vendors? (If unsure, please explain)
(7) With respect to your company’s encryption products, are any of them manufactured outside the United States? If yes, provide manufacturing locations. (Insert “not applicable”, if you are not the principal producer of encryption products) 
8. Once you hit submit, you will get a message in your message box.

9.  That message with have your ERN (Encryption Registration Number) in it.  
10. Open the message and take a screen shot of the message.

11.  Go submit your app to the app store.  When they ask about encryption, tell them.  If you need to submit an ERN, you have one.  :)  I gave them a word document with the screen shot of the ERN, and a very brief explanation.

You're done.  The first status your app will go through is "Waiting for export compliance".  Once your app is approved you will have a LEGAL app on the app store and you didn't have to lie to Apple or the US government.