We recently began the journey of submitting Screensaver Ninja to the Mac app store, and found that, thanks to a particular rule and the subsequent, off-putting list of steps one must take, it appears that most Mac and iOS applications are breaking the rules. It all started with a specific question that everybody else submitting to the Mac and iOS App stores will encounter:
Is your app designed to use cryptography or does it contain or incorporate cryptography? (Select Yes even if your app is only utilizing the encryption available in iOS or OS X.)
If you are having any doubts, let me break the bad news to you: if you use HTTPS or SSL in any fashion, the answer to this question is a resounding “yes”. When we started looking around we found a lot of resources saying “just say no and move on”. Apple is probably not really checking whether you are using encryption or not but down the road, you might get in trouble. You are essentially breaking US export regulations by saying “no” there. I’m not a lawyer, so I don’t know how much trouble you can get into, but we prefer to go down the safer route and avoid any future issues.
Crypto US export restrictions
For a bit of background, you can read Wikipedia’s article on exporting cryptography. Long story short, cryptography was/is classified as munition for the US and thus its export is heavily regulated and back in the 90s was mostly forbidden. This applies to you even if you are not in the US: when you submit an application to either of Apple’s stores, Apple will be distributing the app on your behalf, from the US to the world, thus exporting it.
On top of that, if your encryption is non-standard, you need special approval to sell in France, but since this doesn’t affect Screensaver Ninja, I’m going to ignore that case.
If your app uses any sort of encryption, including SSL, HTTPS, etc, your answers about export compliance should look like this:
The conclusion from selecting the above answers is that yes, sadly, you need to obtain an Encryption Registration (ERN):
To make your app available on the App Store, you must submit a copy of your U.S. Encryption Registration (ERN) approval from the U.S. Bureau of Industry (BIS).
Apple Store submission despair
If you are in a position similar to ours, those words might have started to make you feel a bit hopeless about your submission to the Apple Store. The following words will push you all the way down into the land of despair. Apple’s FAQ says:
Category 5 Part 2 of the US Export Administration Regulations cover the Information Security section of the regulations. Relevant US export administration regulations can be found on the Category 5 Part 2 page and on the encryption web page.
and then in a very involved way it confirms that yes, you do need an ERN, no way around it. That entry in the FAQ links to page with a promising title: How to file an encryption registration. Whatever hope you managed to muster there, the first paragraph will swiftly destroy it:
BIS has created a new SNAP-R screen for encryption registrations. The instructions for submitting an encryption registration are found in paragraph (r) of Supplement No. 2 to Part 748
I read the whole thing several times and I couldn’t figure out how to file an encryption registration. There’s a link to an example view in SNAP-R… what is a SNAP-R and why do I care? I’m not entirely sure but it seems to be a conduit through which you get an ERN:
When an encryption registration is submitted via SNAP-R, SNAP-R will issue an Encryption Registration Number (ERN)
I kept on googling for this issue and I found some people saying that yes, you need an ERN but most of their links were broken, so another dead end. The frustration!
I rolled my metaphorical sleeves and set to work to crack this nut, and after hitting my head against the brick wall of bureaucracy and several phone calls to different US government organizations, I got my ERN. It is actually possible and it’s not that hard, if you know what to do, and where, and how. We’ll soon post our whole journey hoping that you can replicate it for your own app.