Animail's posterous
« Back to blog
Viewed
times
Favorited 0 times
Filed under
January 26, 2010
 

iPhone Encryption Export Compliance for Apps making HTTPS (TLS) Connections - Continued

We just received an answer from Apple regarding our inquiry about whether our iPhone app requires encryption export approval because we use https connections to a webserver. (see our first blog post)

The short (and depressingly definitive) answer is: YES. We have to go through the Government review, just because we use a https connection.

Our contact at Apple replied today that she double checked with the Government: they confirm that "sending information over https is forcing the data to go through a secure channel from SSL, therefore it falls under the U.S. Government requirement for a CCATS review and approval."

As simple as that. She also added that she asked if our type of data (private communication / messages) would fall under a new exception category, but "unfortunately it does not."

So it looks like we've got to go through a process that will take at least a month, probably significantly longer.

The only relief that Apple can offer is that if you agree (in written) to go through with the CCATS process and you've already submitted your application to the Government, Apple lets you start selling your app in the U.S. and Canada, adding more countries in a second step and finally opening all for sale when approval is obtained.

Again, I have to say that Apple (and the Sr. Export Compliance Specialist dealing with us there) always offers support in every way she can. Very helpful, very good service! I suspect it won't be the same with the Department of Commerce and its Bureau of Information Security...

We'll keep you posted on our journey. At least it involves "fun" stuff that you don't usually do in your every day life like writing letters of explanation to the NSA...

More on Animail at:  http://theanimail.com

Posted by The Animail 

Comments (6)

Jan 27, 2010
abramo6 said...
Hi
Thank you a lot for the information! Now we have to go through the estimated 60 days process for getting a ccats...

Do you know what is the new exception category, or where do I find out which are the exception categories?

thank you again,

Daniel

Feb 07, 2010
John said...
Hi there, thanks for this information - very helpful (if not what I wanted to hear...)
I was wondering if there's any chance you could publish (or email) the technical specification document you used as part of your CCATS application?
I'm at a loss as to what I need to put in it - I found the sample one here http://www.zetetic.net/blog/2009/08/03/mass-market-encryption-commodity-classification-for-iphone-applications-in-8-easy-steps/ but it's for an application that uses other types of cryptography. My app, like yours, only uses SSL.
Unfortunately I have no idea how the SSL libraries work – I’m just using the standard iPhone libraries (i.e. opening up an NSUrlConnection to an HTTPS URL) and don’t have the slightest idea what algorithms or key transformations or anything else are being used.
If there’s any way you could post your technical specification document, or an example, with the general-purpose iPhone SSL guff included that would be very very helpful!
Thanks in advance
John
Feb 08, 2010
The Animail said...
The good news is: you don't need to file a technical specification, because you are only using Apple's built-in encryption and they have those specs already on file.

The bad news is: you have to answer a questionnaire (in your Letter of Explanation) about your app anyway. Our contact at Apple referred us to Part 742 Supplement 6 for the questions we need to address (can be found here: http://www.access.gpo.gov/bis/ear/ear_data.html).

She instructed us to insert iPhone OS https or 128-bit AES or Open SSL where applicable and then add the implementation information for our app. And ff a question does not apply to our app, then we should just insert N/A. Which we did, a lot.

Feb 08, 2010
John said...
Thanks very much!

I've submitted my application too - fingers crossed :)

Feb 10, 2010
Dave Pierri said...
Hi
At first, thanks for this helpfull blog post!
We are a Financial Institute and want to develope an iApp for financial transaction, se we need some encryption and security stuff like HTTPS.
So my question is, it is possibile to have some information about the contact person from Apple(Sr. Export Compliance Specialist), to ask if in our case it is needed this review from the governance BIS...?
Feb 10, 2010
The Animail said...
Hi Dave,

I'm pretty sure you do need the review from the BIS, but if you want to get the information first hand from an Export Compliance Specialist at Apple, address your question at itunesconnect@apple.com - from my experience it will then be forwarded to a specialist who will discuss the issue with you.

Leave a comment...