Monday, January 17, 2011

Apple iTunes export restrictions on apps

I recently went through the process of building an app for the iTunes app store that used SSL (HTTPS) encryption.  While this seems trivial, it's not.  Depending on where you go, and what you read you might think you don't need to do anything.  That's wrong.  If you application uses encryption (including SSL and HTTPS, possible other public domain encryption) then you need to get at least get an ERN before submitting your app to Apple for approval.

I believe there was some rule changes in May 2010 that made this possible.  Prior to these changes, you would have had to get a CCATS for your application.  I originally did the full CCATS process, but it was not approved, and they in their own words told me to use this method.

Here is what I did.

Read all the steps before you do this:
1.  Go to this link and use his instructions.  This is a great post:
http://zetetic.net/blog/2009/08/03/mass-market-encryption-commodity-classification-for-iphone-applications-in-8-easy-steps/
2. Do step 1 and 2 for all cases.  If you built your own encryption mechanism, that follow the entire post.  If you used SSL or other public domain encryption, then you can stop after you have your SNAP-R account.
3.  Go to the SNAP-R login site and login:  https://snapr.bis.doc.gov:443/snapr/exp/UserLoginLoad
4.  Click "Create Work Item"
5.  Select "Encryption Registration"

6.  Most if it will be filled out for you.  Add this information to the "Additional Information" field.  I made this up, so your milage will vary.

7. Then attach a document that looks like this one for Encryption Registration Supplement No. 5 to Part 742
Control Policy—CCL Based Controls Supplement No. 5 to Part 742--page 1
Export Administration Regulations June 25, 2010
SUPPLEMENT NO. 5 TO PART 742 - ENCRYPTION REGISTRATION
Certain classification requests and self-classification reports for encryption items must be supported by an encryption registration, i.e., the information as described in this Supplement, submitted as a support documentation attachment to an application in accordance with the procedures described in §§ 740.17(b), 740.17(d), 742.15(b), 748.1, 748.3 and Supplement No. 2 to part 748 of the EAR.
(1) Point of Contact Information
(a) Contact Person
Tige Phillips
(b) Telephone Number
1-xxx-xxx-xxxx
(c) Fax Number
1--xxx-xxx-xxxx
(d) E-mail address
xxx@xxx.com
(e) Mailing Address
xxxx E. General Road 
Somewhere, OR 9xxxx
(2) Company Overview (approximately 100 words)
I am an individual developer of software.  The software I create typically falls into one of two categories: Business related, where it would interact with systems created by Cisco Systems, or Recreation software that would be simple fun programs for use by individuals.  For development I use openly available development platforms from Apple Computers and other manufactures.  Creating software is a hobby, not my primary profession.
(3) Identify which of the following categories apply to your company’s technology/families of products:
(a) Wireless
(i) 3G cellular
(ii) 4G cellular/WiMax/LTE
(iii) Short-range wireless / WLAN
(iv) Satellite
(v) Radios
(vi) Mobile communications, n.e.s.
(b) Mobile applications
(c) Computing platforms
(d) Multimedia over IP
(e) Trusted computing
(f) Network infrastructure
(g) Link layer encryption
(h) Smartcards or other identity management
(i) Computer or network forensics
(j) Software
Yes:  I only create software.
(i) Operating systems
(ii) Applications
(k) Toolkits / ASICs / components
(l) Information security including secure storage
(m) Gaming
(n) Cryptanalytic tools
(o) “Open cryptographic interface” (or other support for user-supplied or non-standard cryptography)
(p) Other (identify any not listed above)
(q) Not Applicable (Not a producer of encryption or information technology items)
(4) Describe whether the products incorporate or use proprietary, unpublished or non-standard cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body. (If unsure, please explain)
My products do not use any proprietary, unpublished or non-standard cryptographic functionality.  I only use standards based encryption that can be found on the Internet.  Standards based Secure Socket Layer (SSL) encryption is an example of what I use.  I also only use encryption mechanisms that are available in development platforms by companies like Apple Computers.
(5) Will your company be exporting “encryption source code”?
No.
(6) Do the products incorporate encryption components produced or furnished by non-U.S. sources or vendors? (If unsure, please explain)
No.
(7) With respect to your company’s encryption products, are any of them manufactured outside the United States? If yes, provide manufacturing locations. (Insert “not applicable”, if you are not the principal producer of encryption products) 
No.
8. Once you hit submit, you will get a message in your message box.


9.  That message with have your ERN (Encryption Registration Number) in it.  
10. Open the message and take a screen shot of the message.

11.  Go submit your app to the app store.  When they ask about encryption, tell them.  If you need to submit an ERN, you have one.  :)  I gave them a word document with the screen shot of the ERN, and a very brief explanation.



You're done.  The first status your app will go through is "Waiting for export compliance".  Once your app is approved you will have a LEGAL app on the app store and you didn't have to lie to Apple or the US government.

60 comments:

David Kariuki said...

Great article. How long did the ERN process take?

Tige said...

David,
I think it took a couple of weeks to get the SNAP-R account. Once that is done, it should only take you about 30 minutes from start to finish to get your ERN. It's an automated response when you submit the documents, so no human waiting time.

Tige said...

BTW, thanks you for the compliment. :)

Ernie said...

Thank you so much for posting this!! I didn't know they changed from CCATS and have been dreading this process for quite some time. I think this info will help immensely.

Anand said...

Great article..very helpful

Any idea if a foreign company can get a SNAP-R account? I am from India and am building an app that involves HTTPS and SSL, so would like to comply with all legal obligations.

Craig said...

Thank you very much for this article, it has been very helpful. I'm only using HTTP over SSL in my application as well.

Did you have to file an annual self-classification document as well? What did you use for the ECCN number, and what did you also use for the ITEM TYPE?

Tige said...

Ernie, if only I had the same. I actually submitted all of entire CCATS paperwork only to find out I didn't need to and was denied. :( Hope I've helped you!

Anand, from everything that I have read you can use this process from another country (Canadians have done it). Now, the one thing I'll say is that they call you to give you your SNAP-R information over the phone. There might be another way to do it via mail. I don't know how that would work if they need to call internationally. I guess you could get a google voice number and have them call that. Let us know how it goes.

Craig, Yes. You are supposed to file an annual self-clasification doc. I have not done this yet, and from what I can tell it's at the end of every year. I have seen an example of one and some day I'll post it here (probably when I do it). There is no ECCN required on "Encryption Registration". That is the item type when creating a "New Work Item". I think step 4 and 5 is what you are referring to as "ITEM TYPE". Let me know if that's not the same.

Craig said...

Tige: I submitted a couple questions to the NSA concerning the annual self-classification. I haven't heard back on everything, but you're correct in that it doesn't need to be submitted until the end of the year. For 2011, for example, it must be submitted by February 1st, 2012.

Also, the self-classification document (from what I've found) must be in a strict CSV format. There are a few examples here that suggest that an ECCN is required. This is the page that mentions the strict format, and also outlines the available parameters for the self-classification document.

Tige said...

UPDATE. I just got this e-mail. For anyone getting ready to start this process, the new method should be followed for getting a CIN (SNAP-R account). This should be great for people overseas that are registering since it looks like the entire thing is electronic now.

==========================
Effective today February 9, 2011, BIS has implemented a new SNAP-R on-line account registration and self-management system. This new system replaces the current e-mail or fax submission process used to obtain a Company Identification Number (CIN).
Benefits include:
- speed of On-Line Registration - a few minutes versus the 7 to 14 days required for paper submissions.
- ease at which the On-line Registration module enables new companies to obtain a Company Identification Number (CIN) while at the same time designate an account administrator.
- effortlessness at which existing users can claim account administrator rights for their company.
- liberty and speed by which companies may update their business & user information through utilization of the Self Management module.

Important dates:
February 9, 2011 - On line registration and account administrator designation becomes available.

April 11, 2011 - On line registration and company account administrator designation becomes mandatory for all new SNAP-R accounts.

June 10, 2011 - All existing SNAP-R accounts that do not have a company administrator will become inoperable until an individual user for the company logs on and designates him / herself as administrator.

September 8, 2011 - All existing SNAP-R accounts that do not have a company administrator will become inactive. The company will have to register electronically in the same manner as a new registrant.

Ragno said...

First of all, Thank you for this easy walk through! I was halfway through a CCATS when I found this.

Second: Will we need to file this and get a new ERN for every application we publish or is one for the whole company?

Craig said...

I'm pretty sure you'll need one for each application.

kristapsz said...

I started to read the conditions in this page: https://snapr.bis.doc.gov/snapr/docs/loginHelp.html
And it says:
"The Company recognizes that in order to apply for licenses the Company and the exporter must be subject to the jurisdiction of the United States, and the Company certifies that it will not submit such applications unless both it and the exporter are subject to U.S. jurisdiction."

Does it mean, that online registration only works for the US developers? Or I got it wrong?

Tige said...

When looking at the self filing documents, it shows having multiple "products" in there. The ERN also does not have anything in it about the product name. I took that to believe that I only need one ERN for all of my products that fall under the guidelines of it's use. I would then specify the products on the self reporting sheet.

I believe that if you are "selling" the app through Apple, then Apple is the distributor and the application will be subject to US jurisdiction. I have seen comments from people in Canada that have used the original process on the SNAP-R site. If you try, please let us know if it works or not.

Crcerror said...

Hi i am using RSA and AES in my app, i want to create a SNAP-R account.
I am a private person , not a company.
what do you fill in at the "company" field in the application form?

Tige said...

When I filled mine out I used my name "Tige Phillips" as the Company. It's also what I used for the Apple App Store.

kyu said...

Thank you very much for the article!

sysconf said...

Hi - thanks for the article.

I have a App ready for submission in a few weeks using OpenSSL and Apple Crypto. Can someone tell me :

1) how long the process usually takes ? and
2) is this a complete online process (no other interaction needed) ?

thx

Tige said...

Now that it's an all on-line method, I don't know how long it will take. Read the comments

zhangsd said...

Hey, thanks for this article. It was extremely helpful!

Chris said...

Thanks Tige, this was a huge help.

Hunnenkoenig said...

Only PDFs created with Adobe Acrobat can be uploaded!

If you use anything else, like Foxit, the system doesn't accept.

You also can't add a phone number, which is not a US form. I couldn't add my real number to the system from Hungary. But it's their problem, I think.

Ragno said...

Any word back from Craig for filing the annual self classification document? I am looking at getting this email together and I am stuck on what ECCN is needed in the CSV file.

founder said...

Hi there, I'm lucky I think... It's hard to find any good information about this whole ERN thing... This article brought some enlightment to me.

Now I just want to know some things that I didn't get...

1. Does Apple tell you that you need to apply for an ERN or do you have to decide for yourself?
If yes then forget about 2....

2. I do not reside in the U.S. ANd I don't sell to the U.S. (not even Canada, solely selling to Europe.) Do I need an ERN now?

The Java Monkey said...

Hi there - this is a brilliant blog, thanks so much!

For those wanting to know about overseas submissions, yep you can do these - I have from New Zealand - and I simply entered a phone number of all zero's and then in the notes section further down the form I put my actual international contact number. Note that they didn't call me as part of this, and everything was done via the website.

I have just submitted my app, and the ERN and it is now at the appstore status of "Waiting for Export Compliance" - Tige, does this step just involve Apple verifying that the ERN details you sent through are valid?

Once again, many, many thanks for this blog!

Tige said...

If I remember right, it only took 2-3 days in "Waiting for Export Compliance". I assume that's all they are doing is checking that the ERN number matches up with your company and that it's valid. There must be some government system that they use.

Let us know what your result is, and you are welcome!

cguerin said...

When I tried it, they demanded a US zip code and the letters in a Canadian zip code were refused, hence the application was rejected (for ERN) as

COMPANY ZIP CODE MUST CONTAIN ONLY NUMERIC CHARACTERS OR "-"

YOU MUST RE-SUBMIT YOUR LICENSE APPLICATION WITH THE AFOREMENTIONED
ERRORS CORRECTED FOR FURTHER DEPARTMENT OF COMMERCE PROCESSING

Dayspring Tech said...

Tige - thanks for the detailed post! We followed your instructions and made it through the App Store's Export Compliance in about 1 business day.

Unknown said...

Tige,
This is awesome. I just did it. Didn't hardly take anytime with the new process of online stuff.

Ivan said...

Hi guys,

Anyone applied from the outside of the US?

I'm not sure how to understand these words in Supplement no. 5 part 742:

(7) With respect to your company’s encryption products, are any of them manufactured outside the United States? If yes, provide manufacturing locations. (Insert “not applicable”, if you are not the principal producer of encryption products)

If my company is based outside the US, should I answer "Yes: Russian Federation", or I'm missing something?

Thanks in advance!

Poonam said...

Thanks for the detailed info. If I am using a library that communicates over SSL, do I still need to get export license?

Tige said...

Ivan: If you are writing the encryption algorithm, then yes I would say Russia. If you are using encryption that is built into the Apple IOS development libraries (like SSL), then I would answer "No", because Apple built them in California.

Poonam: If your app uses SSL, then you will need to get an export license. Fortunately, it's not that hard to get any more.

Everyone else: Thanks for your comments everyone!

Andreas Monitzer said...

Thank you for that post!

What if I'm using HTTP using Apple's library, but the server might send a redirect to HTTPS that's automatically followed by the library? Doesn't every app that uses HTTP in any form have to file for that export license?

Tige said...

If you think about what they are asking then you will be able to determine the answer.

First, this has very little to do with the USA. Our government (for the most part) doesn't care if we as citizens use security. However, other governments around the world do care if their citizens use security (send or store encrypted data). I won't go into why, it doesn't matter for this purpose.

Therefore, if an application can send or store encrypted information, then that "other government" cares and may not allow it in their country.

So, if that in mind you can look at your app and ask the question "Can my application send or store encrypted data?". If the answer is yes, then you need to file for an export license.

If you noticed, I didn't say if it was HTTPS, home brew encryption, AES256, SSL, SNMPv3, some dudes library on google docs, etc. none of that matters.

So I'm clear, those same governments that don't like you to send encrypted data are the same ones that don't like it's citizens to encrypt any data that the government doesn't have the ability to decrypt and has the "master key" to do so.

So, here is my one line on if you need an export license or not. This is me, not something official from Apple or a government guru:

If your application has the ability to send or store encrypted data, then you need an export license.

Tony Hursh said...

Let me add to the chorus of thanks! I wanted to add SSL to an app I've got brewing, and got a huge sinking feeling when I realized that would put it under the crypto regs.

The process has indeed been streamlined immensely. Creating the SNAP-R account took only a few minutes, and I got the ERN within 10 minutes of uploading the documentation.

It may have helped that I copied Tige's sample form and just changed the contact info, etc. If you're doing the same things (standard SSL, etc., no weird crypto) it couldn't hurt -- they may be getting a lot of these and I'm sure it's much easier to process them if they've seen the same format before.

Someone above mentioned that only PDFs generated by Acrobat will work. I didn't find that to be the case. I just printed to PDF from TextMate and it didn't cause any problems.

One wrinkle: the SSL certificate they're using for the site isn't recognized by Chrome or Safari on my (older) iMac or my (newer) MBA. Oddly, it *was* recognized by my iPad. It looks like the Verisign Intermediate Authority they're using isn't in my keychain (I have a bunch of Verisign certs, but not that one). After checking the cert serial number on Verisign's site to make sure it was legit (and also based on the fact that the iPad recognized it), I went ahead. All seems well.

Chesley said...

This whole string is really, really helpful and is starting to take the scary mystery out of the export compliance process...which I only just learned about. The SNAP-R site says they need IE6 or higher. Is this true...or have folks been able to use Mac/Chrome, Mac/FF, or Mac/Safari?

Ivan Vučica said...

Great article! Consider adding note in "step 1" that the linked site was not updated to note that CIN and PIN appear to be obtainable completely online, without faxing: https://snapr.bis.doc.gov/registration/Register.do

Overall, the procedure seems to have changed, and someone linked to this page:
http://www.bis.doc.gov/encryption/

lilac said...
This comment has been removed by the author.
Zanardi said...

Thanks a lot for your post, helped a lot!!

timfazio said...

I tried applying today and was rejected as I was outside the USA (Australia).

I'm not sure it is possible, as all over the US Gov website it says you must be in the US, despite allowing you to enter addressed and contacts in other countries.

Even with my Company's address Australia and the applicant in the USA, it still wouldn't work!

Any ideas?

Arun said...

Hi,
I'm using AES encryption for database encryption . . .

what should I do..?? Should I follow the same steps here or Do I need to do anything more . . .???

Please Help.
Thanks in Advance.

iFreeBudget admin said...

Great post!!!

preeti said...

Thanks for sharing this article, it extremely quite good Actually i am using RSA and AES in my app but don't know how to create a SNAP-R account but after reading this article i have solved my problems.
Itunes Account Help
.

Unknown said...

Today it's 2012-11-10 and I did the whole process as described. Had some issues with my login, but cleared that up with the BIS representative. With the above described process I obtained an ERN instantly after uploading the document and filing the request. Thanks a lot!

Win goal said...

Fantastic blog! Very well written.

film production
love and hip hop vh1

dward said...

I contacted the DoC Exporting Counselors in their Encryption Registration Division. An under the new Note 4 I was excempt since my app's primary feature set is Security or Encryption centric; I just use HTTPS for DB calls.

dward said...
This comment has been removed by the author.
dward said...

I contacted the DoC Exporting Counselors in their Encryption Registration Division. An under the new Note 4 I was excempt since my app's primary feature set is NOT Security or Encryption centric; I just use HTTPS for DB calls.

Chris Boraski said...

I use SSL in my app to connect to some 3rd party servers, and I wasn't aware of this until last night when I was ready to submit the app to Apple. I was pretty worried this would tie me up for another week or more. I am happy to report that this is very streamlined and it took less than 8 hours to go through the filing process, even though I submitted overnight. Of course YMMV, but I think it's good news for most of you out there and really there's no reason not to do this if you use standards based encryption such as SSL/HTTPS.

Step 1: Complete Snap-R Company Registration, verify email address: 1:00 AM
Step 2: Invitation to finish creating account: 8:35 AM.
Step 3: Create account, create and submit Work Item/Encryption Registration: No delays from the website to complete these steps. Once you can complete the paperwork and go through the web forms, you will be done, it shouldn't take more than 15 minutes.

Thanks for creating this wonderful guide.

antifeministu said...



This is a question I posted on StackOverflow... Maybe you can help ...

This is going to be one long question... Actually a set of
related questions...
I want to make an iOs app, that will be sold on Apples App Store,
(obviously). My app will store some sensitive user data in the documents
directory. For security reasons I thought of a cryptosystem that will
secure that data. Here the fun starts... That data security mechanism
will be virtually unbreakable. I will be using AES-128/256, TwoFish
128/256 and Serpent 128/256. The user can select what to use where... I
may be using dual encryption, data being encrypted once with AES and
then with Serpent, or any combination of thous.

I obviously need to check the "uses encryption" button on the app store. The problem is:

1) what certification do I need CCATS or just ERN?

From :

http://tigelane.blogspot.ro/20...

Go to this link and use his instructions. This is a great post: http://zetetic.net/blog/2009/0...

Do step 1 and 2 for all cases. If you built your own encryption
mechanism, that follow the entire post. If you used SSL or other
public domain encryption, then you can stop after you have your SNAP-R
account.

I need apparently to do the whole certification process... I definitely made my own mechanism.

2) Can the full CCATS be done 100% online?

In that "8 easy steps" post it said I need to send some documents by
(snail)mail. Then latter on a user said that is not necessary anymore.
Note: thous blog posts seem old (2 years).

Excellent description! FYI: The process for obtaining a CIN/PIN for
SNAP-R is now entirely electronic

Another user said:

You might want to consider updating your post. I've just been told by
a BIS Counsellor that it's no longer necessary to snail mail in hard
copies of your application form and supporting documentation. It may
be something trivial to some but wasting $80 on international shipping
is $80 down the drain.

I hope I don't need to send all the documents by mail, as it will take a while to get them to the US from the EU.

Has anyone , in the EU, used the ERN/ CCATS process recently?

3)I also saw that they ask you for a fax number... I don't have a fax. Is that a big problem?

If really necessary would an online fax service be ok?

4) Do i need to explain the whole encryption mechanism in
detail? Or just the algorithms? Can I be rejected for having a "too good
for mass market encryption cryptosystem" ?

Mostly, do I need to explain or declare that some data will be
encrypted twice ? Or is " will store data encrypted on disk" a good
enough explanation?

5) I will be using some password extension algorithms and
hashing (HMAC, with SHA-2, maybe SHA-3)... do I need to report thous
too?

Thank you...

Andrew said...

I found that under Firefox on Mac I couldn't submit any PDF file without SNAPR complaining that it only accepted PDF files. This included a PDF file generated by Adobe Acrobat (30 day trial version). I switched to Safari and could then upload the PDF.

Andrew said...

I can confirm this worked for an Australian company with an Australian address.

David Karlsson said...

Did you not need to submit

SUPPLEMENT NO. 8 TO PART 742 -
SELF-CLASSIFICATION REPORT FOR ENCRYPTION ITEMS

Neil Kutchera said...

Following your instructions I submitted a request for encryption registration and received an electronic response authorizing export all in the same evening. Thank you for this information.

Anne said...

It's a bit nerve racking to go through that process. I wanted to thank you as your tutorial was very helpful. I just got my ERN number. x

Ro-el said...

Thanks for the great post, this was very helpful.

I see a few others have asked about how long this takes, here is example of how long this took me from start to finish (not counting the time I wasted before I found your post). My app is very similar in scope to the example:

SNAP-R Registration:
1) Register online for a SNAP-R account: less than 5 minutes to fill out registration form
2) Wait for "SNAP-R Registration Confirmation" Email: ~10 minutes
3) Wait for confirmation that "SNAP-R login information is available": ~55 minutes (note: site says to allow up to 5 days)
4) Time to “Setup my SNAP-R user account” and login: A minute or two

SNAP-R Work Item setup:
5) Time to Create and Submit Work Item: 20 minutes (I took my sweet time)
6) Time to get the accepted acknowledgment message: instantly
7) + 15 minutes of document creation and uploading to Apple etc.

All in: Around 1 hour and 45 minutes

Foriger said...

Hi,

Is this valid only for United States? So if I operate into other app stores, not on american, do I need to reproduce this steps?

Mike B said...

This is a great article. I followed the procedure and had my ERN number in less than a day.

I'm now preparing a spread sheet to use for the annual self-classification report. What have others used for the ITEM TYPE field? Is 'Software n.e.s' the correct value? What does 'n.e.s' mean?

jimillo said...

Hi

Thank you for the information. I have a few questions.

This is done for each application that you want to submit or it allows you to use the same ERN for multiple apps? Where do you declare the name of the app? Do you have to send the source code?

Thanks

Paul Baker said...

I just wanted to thank you for this article. There's a lot of confusion out there about this stuff and these words, written in plain English, helped immensely.

The Geeks said...

Thanks for review, it was excellent and very informative.
thank you :)