Animail's posterous
Contributors
Tags


Filed under

Compliance

 
January 27, 2010
 

One more thing... on encryption export compliance for iPhone apps

Let me add an important thing to the previous posts (see our first blog post to start from the beginning):

Apple offers a three-step approval that allows you to start selling your application on the iTunes App Store (to limited markets) even before you went through the whole review and approval process with the Government.

Here it is:

If you confirm to Apple that you agree to go through with the CCATS review process, they offer:

1) To allow sales in the U.S. and Canada immediately. For that, first uncheck all the other countries in iTunesConnect (Manage your Application -> Edit Information -> Pricing). Btw. that's 75 clicks, folks. There is no 'uncheck all' button...

2) Now to the most important part of this post: upon receipt of your CCATS application by the Bureau of Information Security, Apple allows sale in the following 34 additional countries:

Australia Austria Belgium Bulgaria Cyprus
Czech Republic Denmark Estonia Finland France
Germany Greece Hungary Iceland Ireland
Italy Japan Latvia Lithuania Luxembourg
Malta Netherlands New Zealand Norway Poland
Portugal Romania Slovakia Slovenia Spain
Sweden Switzerland Turkey United Kingdom

That is BEFORE the approval of the Government, which should save you at least 30 days in the process. And I would say that is a significant amount of countries (and potential customers) that you can sell to prior to approval.

3) When you have got approval and therefore received your CCATS number, Apple will allow worldwide sales. (or to all countries your CCATS allows you to sell to)
More on Animail at:  http://theanimail.com

Filed under  //   Animail   App   Compliance   Encryption   Export   HTTPS   Regulation   SSL   TLS   iPhone  
Posted by The Animail 

Comments [5]

January 26, 2010
 

iPhone Encryption Export Compliance for Apps making HTTPS (TLS) Connections - Continued

We just received an answer from Apple regarding our inquiry about whether our iPhone app requires encryption export approval because we use https connections to a webserver. (see our first blog post)

The short (and depressingly definitive) answer is: YES. We have to go through the Government review, just because we use a https connection.

Our contact at Apple replied today that she double checked with the Government: they confirm that "sending information over https is forcing the data to go through a secure channel from SSL, therefore it falls under the U.S. Government requirement for a CCATS review and approval."

As simple as that. She also added that she asked if our type of data (private communication / messages) would fall under a new exception category, but "unfortunately it does not."

So it looks like we've got to go through a process that will take at least a month, probably significantly longer.

The only relief that Apple can offer is that if you agree (in written) to go through with the CCATS process and you've already submitted your application to the Government, Apple lets you start selling your app in the U.S. and Canada, adding more countries in a second step and finally opening all for sale when approval is obtained.

Again, I have to say that Apple (and the Sr. Export Compliance Specialist dealing with us there) always offers support in every way she can. Very helpful, very good service! I suspect it won't be the same with the Department of Commerce and its Bureau of Information Security...

We'll keep you posted on our journey. At least it involves "fun" stuff that you don't usually do in your every day life like writing letters of explanation to the NSA...

More on Animail at:  http://theanimail.com

Filed under  //   Animail   App   Compliance   Encryption   Export   HTTPS   NSA   Regulation   SSL   TLS   iPhone  
Posted by The Animail 

Comments [6]

January 13, 2010
 

iPhone Encryption Export Compliance for Apps making HTTPS (TLS) Connections

As we are working on the last features for our first release of the Animail, we started to take care of the 'logistics' connected with the publication of an iPhone app in the iTunes App Store. Which is pretty straightforward in iTunes Connect. Up to the point where the question 'Does your app use encryption' pops up.

At first we thought this would only apply to third-party encryption, or apps which main purpose is encryption.
Or it wouldn't apply to a non-US company anyway.
And we're only using common HTTPS (TLS) connections to talk to our server, it's a functionality that Apple offers publicly, so it's their problem and they probably dealt with the U.S. Government about this long time ago.

Or at least we thought so.
As it turns out this is all wrong.

To be on the safe side with this rather complex issue, we contacted Apple and got an elaborate and clear explanation of a Sr. Export Compliance Specialist within 2 working days:

First, she explained that using an encryption method offered by Apple is the same to the government as if our product would have the encryption routine built in. Regardless of the source, so even if you only use encryption methods offered by the iPhone OS, your app is subject to export regulation.

Second, as the app is being sold by Apple Inc. and all apps reside on servers in the U.S., all apps are subject to export regulations.
Note: I'm not sure about apps that are only being sold within the U.S., but as this is not the case with ours, it doesn't exempt us from regulation.

Third, as we are using HTTPS to transmit data from or to our server, we are using encryption in our product and therefore we will need to review our use case against the regulations.

She then offered to determine whether or not we will need to enter a formal review and approval process with the U.S. Government based on more detailed information on how we use the HTTPS connection and also based on what kind of data will be protected.

(Details on the formal process can be found at http://www.zetetic.net/blog/2009/08/03/mass-market-encryption-commodity-classification-for-iphone-applications-in-8-easy-steps/)

We sent that information on 13 January 2010 and will keep you posted on the progress.

Update: we received an answer from Apple today (26 January 2010) that we have to go through the CCATS approval process. Here's the new blog post with details.

More on Animail at:  http://theanimail.com

Filed under  //   Animail   App   Compliance   Encryption   Export   HTTPS   Regulation   SSL   TLS   iPhone  
Posted by The Animail 

Comments [5]