As we are working on the last features for our first release of the Animail, we started to take care of the 'logistics' connected with the publication of an iPhone app in the iTunes App Store. Which is pretty straightforward in iTunes Connect. Up to the point where the question 'Does your app use encryption' pops up.

At first we thought this would only apply to third-party encryption, or apps which main purpose is encryption.
Or it wouldn't apply to a non-US company anyway.
And we're only using common HTTPS (TLS) connections to talk to our server, it's a functionality that Apple offers publicly, so it's their problem and they probably dealt with the U.S. Government about this long time ago.

Or at least we thought so.
As it turns out this is all wrong.

To be on the safe side with this rather complex issue, we contacted Apple and got an elaborate and clear explanation of a Sr. Export Compliance Specialist within 2 working days:

First, she explained that using an encryption method offered by Apple is the same to the government as if our product would have the encryption routine built in. Regardless of the source, so even if you only use encryption methods offered by the iPhone OS, your app is subject to export regulation.

Second, as the app is being sold by Apple Inc. and all apps reside on servers in the U.S., all apps are subject to export regulations.
Note: I'm not sure about apps that are only being sold within the U.S., but as this is not the case with ours, it doesn't exempt us from regulation.

Third, as we are using HTTPS to transmit data from or to our server, we are using encryption in our product and therefore we will need to review our use case against the regulations.

She then offered to determine whether or not we will need to enter a formal review and approval process with the U.S. Government based on more detailed information on how we use the HTTPS connection and also based on what kind of data will be protected.

(Details on the formal process can be found at http://www.zetetic.net/blog/2009/08/03/mass-market-encryption-commodity-classification-for-iphone-applications-in-8-easy-steps/)

We sent that information on 13 January 2010 and will keep you posted on the progress.

Update: we received an answer from Apple today (26 January 2010) that we have to go through the CCATS approval process. Here's the new blog post with details.