Hi,
I think I'm going to have to use the Crypto libraries in my iPhone application. I wanted to ask you about the implications regarding the crypto export policy applied by Apple. Do I need to do something extra (such as filling forms etc.)
1) If I use hashing with MD5.
2) If I use symmetric encryption.
Thanks,
There's a question in iTunes Connect when you submit your app about encryption. Your answers quite possibly dictate which forms you have to fill in. My app used to have MD5 hashing. I had to do nothing more than select the right answer in a couple of check boxes.
It wasn't clear to me whether using code in the OS really meant I was exporting encryption (did it mean only if I wrote or included extra code?) but I figured that it was better to err on the side of caution.
I am not a lawyer, nor do I deal with export compliance full-time, but I have had to deal with the issues extensively and can point you to the original materials so you can see for yourself. If you have concerns, you should contact a lawyer familiar Export Compliance.
US export restrictions relate to the exporter, not to the author. Apple in this case is the exporter, which is why they want the author to provide them information about what they are exporting.
If you are using system libraries, than neither you nor Apple is exporting cryptography when downloading your app. The system libraries were exported when the iPhone itself was sold, or when Apple provided a software update. That has nothing to do with you.
Cryptography of the class you're discussing only has restrictions when exported to Country Group E:1 countries (Cuba, Iran, Libya, North Korea, Syria, and Sudan). These countries are excluded by Apple.
You are explicitly exempt from review if your product falls into the "Ancillary Cryptography" category. This is defined as "not primarily useful for computing (including the operation of 'digital computers'), communications, networking (includes operation, administration, management and provisioning) or 'information security'" and includes as examples:
"Ancillary Cryptography" might be read here as "cryptography is used by your program, but encryption is not its point." US export regulations are interested in technologies that can be repurposed into new products that might be used against the US government.
Opensource cryptographic libraries have a broad exemption as long as they are not knowingly exported to Class E:1 countries.
This is all a very long winded (though still extremely cursory) way of saying "don't worry about it; click the applicable options that Apple provides."
For the full, gory details, go to the Commercial Encryption Export Controls site of the US BIS. Of particular interest are the Encryption Checklist Instructions.