How to submit an app to Apple’s App Store when it uses encryption

Last year I learned that to publish an app in the App Store or Mac App Store, if it uses encryption of any kind and yes, HTTPS and SSL count, you need an Encryption Registration (ERN) from the US Bureau of Industry (BIS). Some people claim it&#x27;s fine to lie to Apple, claim no use of encryption and get in the app store. I&#x27;d rather do it the right way.<p>When I started the process of getting the ERN, I quickly notice it was going to be a long and arduous process and that other people could benefit from the lessons I was learning the hard way, so I decided to document it all in a long blog post.<p>This is probably one of my most researched pieces ever. The whole process took about two months from the start, researching this thing called ERN, to getting the app published in the Mac App Store, satisfying that what I did was (more or less) correct.

At the same time Apple encourages the use of HTTPS with App Transport Security (ATS).<p><pre><code> Starting in iOS 9.0 and OS X v10.11, a new security feature called App Transport Security (ATS) is available to apps and is enabled by default. It improves the privacy and data integrity of connections between an app and web services by enforcing additional security requirements for HTTP-based networking requests. Specifically, with ATS enabled, HTTP connections must use HTTPS (RFC 2818). Attempts to connect using insecure HTTP fail. Furthermore, HTTPS requests must use best practices for secure communications. </code></pre> <a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;library&#x2F;ios&#x2F;documentation&#x2F;General&#x2F;Reference&#x2F;InfoPlistKeyReference&#x2F;Articles&#x2F;CocoaKeys.html" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;library&#x2F;ios&#x2F;documentation&#x2F;Genera...</a><p>Does that mean that in the future nearly every App will need the ERN?

I read this entire article thinking it was overly elaborate satire, but there was no punch line at the end, and the links are actually valid.<p>The TP pool memo[1] in Neal Stephenson <i>Snow Crash</i> seems sane by comparison.<p>[1] <a href="http:&#x2F;&#x2F;soquoted.blogspot.com&#x2F;2006&#x2F;03&#x2F;memo-from-fedland.html" rel="nofollow">http:&#x2F;&#x2F;soquoted.blogspot.com&#x2F;2006&#x2F;03&#x2F;memo-from-fedland.html</a>

Not everything that &quot;just uses HTTPS&quot; necessarily needs ERN. Here&#x27;s &quot;note 4&quot; which exempts a lot of apps: <a href="http:&#x2F;&#x2F;www.bis.doc.gov&#x2F;index.php&#x2F;policy-guidance&#x2F;encryption&#x2F;identifying-encryption-items#Three" rel="nofollow">http:&#x2F;&#x2F;www.bis.doc.gov&#x2F;index.php&#x2F;policy-guidance&#x2F;encryption&#x2F;...</a><p>A big part of our app was &quot;sending, receiving, and storing information&quot;, so we weren&#x27;t sure this exemption would apply to us. So, we did the ERN anyway, and it took a couple of days calendar time, and a couple of hours of working time, IIRC.<p>By the way, nowhere does it say that using HTTPS is fine if you just use Apple&#x27;s APIs and frameworks. I don&#x27;t think it&#x27;s relevant here.

Great guide. If you are into these sort of guides of how to deal with the US government I have written a couple for the W8-BEN-E form [1] (you need this if you have any US customers) and also for registering to do business with the US government [2]. These are biased towards Australians, but they should be helpful for others too.<p>1. <a href="http:&#x2F;&#x2F;www.tillett.info&#x2F;2015&#x2F;06&#x2F;20&#x2F;how-to-complete-w-8ben-e-form-for-australian-companies&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.tillett.info&#x2F;2015&#x2F;06&#x2F;20&#x2F;how-to-complete-w-8ben-e-...</a><p>2. <a href="http:&#x2F;&#x2F;www.tillett.info&#x2F;2015&#x2F;12&#x2F;01&#x2F;how-to-register-an-australian-company-for-business-with-the-usa-government&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.tillett.info&#x2F;2015&#x2F;12&#x2F;01&#x2F;how-to-register-an-austra...</a>

Not specific to Apple. Same thing has to be done for any other app store, like Google&#x27;s. Some mentioned that there is an exception if you use OS libraries for encryption. I think that&#x27;s not the case, but I think using some third party SDKs like Game Center (for which I guess the providers did the paper work) is excepted.

How is this different from Android apps distributed through Google Play? Legally I mean, why don&#x27;t Google Play do the same thing?

If I inform everyone that their iOS app uses AES, SHA-1, and RSA at the lowest level (codesign and Fairplay DRM), does everyone have to register? I think a plain reading of the question poised by Apple would require a &quot;Yes&quot; answer.

For cross reference, here is another list of steps based on our experience. It took about 3 days.<p><a href="https:&#x2F;&#x2F;www.chatmap.io&#x2F;blog&#x2F;iPhone-iTunes-ERN-Encryption.php" rel="nofollow">https:&#x2F;&#x2F;www.chatmap.io&#x2F;blog&#x2F;iPhone-iTunes-ERN-Encryption.php</a>

Which cryptographic algorithms are included in Atom Electron and NW.js frameworks? Does the page [1] list all of them?<p>[1] <a href="https:&#x2F;&#x2F;www.chromium.org&#x2F;blink&#x2F;webcrypto" rel="nofollow">https:&#x2F;&#x2F;www.chromium.org&#x2F;blink&#x2F;webcrypto</a>

ignoring anything else, that process seemed pretty smooth to me, esp for government. Sure you hit a few snags, but the main one (a lost email) could&#x27;ve happened signing up anywhere.

How does this apply to non-US based app publishers?<p>Am I legally exporting crypto from the US if am not in the US?

Don&#x27;t you wish you hadn&#x27;t surrendered software distribution authority to a single faceless corporate party? When nobody tried to demand bullshit crypto paperwork?<p>Remember when you could distribute software yourself without getting threatened[1]? Remember when platform vendors didn&#x27;t take a 30% cut of everything you earned just because they wrote an OS? Not even Microsoft was that evil.<p>I hope you enjoy the world you&#x27;ve built, hipsters.<p>[1] See the f.lux Apple distribution debacle