I believe there was some rule changes in May 2010 that made this possible. Prior to these changes, you would have had to get a CCATS for your application. I originally did the full CCATS process, but it was not approved, and they in their own words told me to use this method.
Here is what I did.
Read all the steps before you do this:
1. Go to this link and use his instructions. This is a great post:
https://www.zetetic.net/blog/2009/8/3/mass-market-encryption-ccats-commodity-classification-for-ip.html (thank you jcesar)
2. Do step 1 and 2 for all cases. If you built your own encryption mechanism, that follow the entire post. If you used SSL or other public domain encryption, then you can stop after you have your SNAP-R account.
3. Go to the SNAP-R login site and login: https://snapr.bis.doc.gov:443/snapr/exp/UserLoginLoad
4. Click "Create Work Item"
5. Select "Encryption Registration"
6. Most if it will be filled out for you. Add this information to the "Additional Information" field. I made this up, so your milage will vary.
7. Then attach a document that looks like this one for
Control Policy—CCL Based Controls Supplement No. 5 to Part 742--page 1Export Administration Regulations June 25, 2010SUPPLEMENT NO. 5 TO PART 742 - ENCRYPTION REGISTRATIONCertain classification requests and self-classification reports for encryption items must be supported by an encryption registration, i.e., the information as described in this Supplement, submitted as a support documentation attachment to an application in accordance with the procedures described in §§ 740.17(b), 740.17(d), 742.15(b), 748.1, 748.3 and Supplement No. 2 to part 748 of the EAR.(1) Point of Contact Information(a) Contact PersonTige Phillips(b) Telephone Number1-xxx-xxx-xxxx(c) Fax Number1--xxx-xxx-xxxx(d) E-mail email@example.com(e) Mailing Addressxxxx E. General RoadSomewhere, OR 9xxxx(2) Company Overview (approximately 100 words)I am an individual developer of software. The software I create typically falls into one of two categories: Business related, where it would interact with systems created by Cisco Systems, or Recreation software that would be simple fun programs for use by individuals. For development I use openly available development platforms from Apple Computers and other manufactures. Creating software is a hobby, not my primary profession.(3) Identify which of the following categories apply to your company’s technology/families of products:(a) Wireless(i) 3G cellular(ii) 4G cellular/WiMax/LTE(iii) Short-range wireless / WLAN(iv) Satellite(v) Radios(vi) Mobile communications, n.e.s.(b) Mobile applications(c) Computing platforms(d) Multimedia over IP(e) Trusted computing(f) Network infrastructure(g) Link layer encryption(h) Smartcards or other identity management(i) Computer or network forensics(j) SoftwareYes: I only create software.(i) Operating systems(ii) Applications(k) Toolkits / ASICs / components(l) Information security including secure storage(m) Gaming(n) Cryptanalytic tools(o) “Open cryptographic interface” (or other support for user-supplied or non-standard cryptography)(p) Other (identify any not listed above)(q) Not Applicable (Not a producer of encryption or information technology items)(4) Describe whether the products incorporate or use proprietary, unpublished or non-standard cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body. (If unsure, please explain)My products do not use any proprietary, unpublished or non-standard cryptographic functionality. I only use standards based encryption that can be found on the Internet. Standards based Secure Socket Layer (SSL) encryption is an example of what I use. I also only use encryption mechanisms that are available in development platforms by companies like Apple Computers.(5) Will your company be exporting “encryption source code”?No.(6) Do the products incorporate encryption components produced or furnished by non-U.S. sources or vendors? (If unsure, please explain)No.(7) With respect to your company’s encryption products, are any of them manufactured outside the United States? If yes, provide manufacturing locations. (Insert “not applicable”, if you are not the principal producer of encryption products)
8. Once you hit submit, you will get a message in your message box.No.
11. Go submit your app to the app store. When they ask about encryption, tell them. If you need to submit an ERN, you have one. :) I gave them a word document with the screen shot of the ERN, and a very brief explanation.
You're done. The first status your app will go through is "Waiting for export compliance". Once your app is approved you will have a LEGAL app on the app store and you didn't have to lie to Apple or the US government.