tags:

views:

1350

answers:

5
+11  Q: 

Does my application "contain encryption"?

I'm uploading a binary for the first time. iTunes Connect has asked me:

Export laws require that products containing encryption be properly authorized for export.
Failure to comply could result in severe penalties.
For further information, click here.
Does your product contain encryption?

I use https://, but only via NSURLConnection and UIWebView.

My reading of this is that my app doesn't "contain encryption," but I'm wondering if this is spelled out anywhere. "Severe penalties" doesn't sound pleasant at all, so "I think that's right" is a bit sketchy... an authoritative answer would be better.

Thanks.

+4  A: 

If you're not explicitly using an encryption library, or rolling your own encryption code, then I think the answer is "no"

Jason  2010-01-25 19:50:59
Just to elaborate: You are using encryption (TLS), but it **is** properly authorized for export from the united states (and it shipped with the iPhone), so you're fine.
BlueRaja - Danny Pflughoeft  2010-01-25 20:20:20
Smart comment, BlueRaja. I was thinking only of not writing the code, but thinking of it from your angle, it's obvious that Apple's HTTPS is already authorized. That makes the question much simpler I think.
Steven Fisher  2010-01-25 20:31:23
Just because a library is licensed for export does not mean that your product that uses the library is also licensed. I know this doesn't make sense logically, but this is government we're discussing. See the link in Tim's answer or ask Apple or the U.S. BIS directly if you want an authoritative answer.
Steve Madsen  2010-03-13 19:18:52
A: 

If you have to ask, the answer is probably no. When Apple talks about encryption, they're talking about adding routines or libraries to your code to explicitly encrypt data before storing or transmitting it. If you haven't done this, you haven't added encryption (https does not count, as that's provided by Apple).

Ben Gottlieb  2010-01-25 19:59:17
According to several people who claim to have contacted Apple directly (including der_flop here and the link in Tim's answer), this is not true. Any encryption function in your application requires you to satisfy U.S. export compliance, even for making a simple HTTPS connection.
Steve Madsen  2010-03-13 19:26:27
+7  A: 

If you use the Security framework or CommonCrypto libraries provided by Apple you do include crypto in your App and you have to answer yes - so simply because libraries were provided by Apple does not take you off the hook.

With regards to the original question, recent posts in the Apple Development Forums lead me to believe that you need to answer yes even if all you use is SSL.

Here's a blog that addresses the latest posts in the Apple forum

http://blog.theanimail.com/iphone-encryption-export-compliance-for-apps

-t

Tim  2010-01-25 22:00:47
Not what I wanted to hear at all, but thanks for posting this. I suppose I should use one of our incidents with Apple to figure this out.
Steven Fisher  2010-01-25 22:24:10
This is correct to my knowledge. The encryption export laws are draconian in how strict they are (considering the fact that software can be transmitted over a network effortlessly), but this requirement has nothing to do with whether a particular encryption approach or implementation is "authorized", but that the system (your app) utilizing it is vetted first. #IANAL, however.
Justin Searls  2010-02-05 03:32:56
A: 

As SSL is in the public domain the answer will be no - these Apache docs summarise it well. If the answer was yes then the iPhone would not ship with SSL capabilities in Safari, or would use less than 64bit.

Chris S  2010-01-25 23:28:46
Just because OpenSSL, or any other library, is in the public domain doesn't mean that your product that uses it is. Apple has clearly already gone through export compliance for the iPhone itself.
Steve Madsen  2010-03-13 19:24:45
+7  A: 

I asked Apple the very same question and got the answer (from a Sr. Export Compliance Specialist), that "sending information over https is forcing the data to go through a secure channel from SSL, therefore it falls under the U.S. Government requirement for a CCATS review and approval." Note that it doesn't matter that Apple has already done this for their SSL implementation, but for the government, if you USE encryption that is the same (to them) as you would've coded it yourself. I also updated our blog (http://blog.theanimail.com) since Tim linked to it with updates and details on the process. Hope that helps.

der_flop  2010-02-26 11:47:29

related questions

How do we get arround Apple's decission to skip sms templates for iPhone?
iPhone App Crashing - Error Question
Can I write native iPhone apps using Python
Does the Iphone 1/2 have a compass inside?
How do you beta test an iphone app?
Is it just the iPhone simulator that is restricted to intel only Mac's?
iPhone App Minus App Store?
Deleting messages from Exchange IMAP mailbox on iPhone
Is there a multiplatform framework for developing iPhone / Android applications?
How can I launch the Google Maps iPhone application from within my own native application?
Tips for a successful AppStore submission?
iPhone app that access the Core Location framework over web
Virtual Mac?
What's a good machine for iPhone development?
How can I develop for iPhone using a Windows development machine?
Recommended iPhone Development Resources
Best Wiki for Mobile Users
How to programmatically send SMS on the iPhone?
iPhone - Exchange Calendars in Public Folders
iPhone web applications, templates, frameworks?
Understanding reference counting with Cocoa / Objective C
How-to articles for iPhone development, Objective-C
What are the correct pixel dimensions for an apple-touch-icon?
How do I give my web sites an icon for iPhone?
iPhone app in landscape mode