CCATS needed for non-export iPhone app?

views:

469

answers:

+3 Q:

CCATS needed for non-export iPhone app?

I'm getting ready to finally deploy my first iPhone app. The app uses SSL to connect to a REST web service. While reading the docs on deploying the app to the app store, I came across some drivel regarding having to go through a 30 - 60 day government vetting process just to ship an app that simply connects to an HTTPS server.

My question is, since this is an export requirement, do apps that are only distributed in the US face this same restriction?

Thanks

Obviously, I am not a lawyer - important caveat. The US relaxed export restrictions over 10 years ago now. Also, technically, your software is using HTTPS and the phone is doing the encryption (as in, the library in CocoaTouch), not your software.

Technically your software has no encryption - unless you actually put any in on top. You are, i'm guessing, passing plain text to the Apple provided library and it is doing the rest.

Lee 2010-03-12 21:08:22

Thats correct. I am not doing any encryption other than creating an HTTPS PUT with a plain text payload and sending that to my server.

Steve 2010-03-12 21:09:52

It doesn't matter if your software is using built in libraries or not.

Kendall Helmstetter Gelner 2010-03-12 22:54:16

This appears to be correct from the Gov't standpoint. But since I'm not exporting, it doesn't apply to my app. According to Apple, I only need to go through the process if I plan to deploy outside the US/Canada. Since I don't plan to go outside the US/Canada, my app is released from this restriction.

Steve 2010-03-15 20:19:00

Steve, I appreciate this question you've posted. Could you follow up to explain if you were successful or not in getting your app released?

Erik Hermansen 2010-08-02 05:48:14

We got into the review process, and the CCATS did not cause us any problems. We got rejected for other reasons (i.e. Apple didn't like the fact that we were building a survey application, which they randomly decided that they don't want on the iPhone).But the CCATS process did not apply to us, because we were only deploying to the US, and we filed the form letter with Apple stating that we were not exporting.

Steve 2010-08-19 19:41:56

+1 A:

According to The Animail, yes, you have to go through export compliance, even if you only make an HTTPS connection in your app.

Note this part, though, which may ease your pain:

The only relief that Apple can offer is that if you agree (in written) to go through with the CCATS process and you've already submitted your application to the Government, Apple lets you start selling your app in the U.S. and Canada, adding more countries in a second step and finally opening all for sale when approval is obtained.

Perhaps Apple will be satisfied with the same written promise to only distribute in the U.S. and allow you to sell without the export review, but I'd definitely check with Apple and not assume anything.

Zetetic has an extensive post that explains the entire process for obtaining export certification.

Steve Madsen 2010-03-12 21:23:45

The deployment process allows you to specify which stores the app can be sold in. If I just allow it to be sold in the US store, shouldn't that be sufficient to say that I'm not exporting the app?

Steve 2010-03-12 21:35:42

No. You have to answer that you are using encryption, and then you'll be given the option to state you are using a limited form of encryption and only going to sell it in a subset of stores.

Kendall Helmstetter Gelner 2010-03-12 22:53:02

I thought they relaxed it for 128-bit/256-bit keys though? According to globalsign etc. that is the case.

Lee 2010-03-13 07:53:39

Steve: Once Apple approves your app, what stops you from changing the stores?Lee: The U.S. may have relaxed the bit limitations, but that doesn't mean they will let you export cryptographic software without reviewing a licensing it. Before, the answer for large bit keys was always "no," now it's simply "maybe."

Steve Madsen 2010-03-13 19:28:58

I got a response from DTS @ Apple regarding this issue. It turns out that you *do not* have to do the CCATS things if you're only deploying to the US and/or Canada (which is all we're doing for now). In order to expand to other markets, you have to go through the CCATS process. When deploying your app to the store, you need to include a document that states that you're only deploying to the US/Canada, and you can only select those countries on the App Store, but for us this is huge.

Steve 2010-03-15 20:14:20

"I got a response from DTS @ Apple regarding this issue. It turns out that you do not have to do the CCATS things if you're only deploying to the US and/or Canada (which is all we're doing for now). In order to expand to other markets, you have to go through the CCATS process. When deploying your app to the store, you need to include a document that states that you're only deploying to the US/Canada, and you can only select those countries on the App Store, but for us this is huge"

Hello Steve, did that work for you? I am facing the same situation you were, and am getting no where with apple. Just want to know if this technique worked for you. Thanks.

2010-08-18 06:11:02

Actually, it did work. There's a letter that you need to send to Apple to ensure that you're only going to deploy to the US and Canada stores, but that was fairly painless.I'm surprised you're having problems talking to the DTS folks. I had no issue talking to them, they were very responsive and helpful.

Steve 2010-08-18 20:20:45

Awesome! Thanks a lot Steve.

2010-08-19 03:35:50

ansaurus

tags:

views:

answers:

CCATS needed for non-export iPhone app?

related questions