ioshttpspublishingapp-transport-security

Switching from http to https in iOS App brings up Export Compliance issues when publishing


We recently decided to update a couple of our apps this summer to switch them from http to https in order to follow the new Apple guidelines which go into affect January 2017.

The only thing transferred to and from the app is product information, no user info or anything even remotely sensitive. But we want to comply early so that we don't have to worry about it later.

The question:

Apple seems to be forcing us to deal with US Export Compliance law which requires us to get an approval for an Exporter Registration Number (ERN), and a SNAP-R which requires a Company Identification Number (CIN). I think, I am no lawyer.

Now this question was somewhat answered here but that was more than 3 years ago, and if I understand what is happening, everyone who makes an http connection with their app and has it available outside the US is going through this.

If that's the case then I would would have expected a very clear explanation on what switching to https will require for most iOS app developers.

However I have not found much on this and I am confused on what the exact requirements are (if any).

Any counsel is appreciated.


Solution

  • Disclaimer: These were my results after many rounds of emails with different export control team members, however these results are specific to our own apps and may not be applicable to others.

    Short answer: Despite having an encrypted database using SQLCipher and using HTTPS for all of our data transfers, our apps Export Control Classification Number (ECCN) is "EAR99" meaning they do not need any US export license (no SNAP-R). Hit that publish button!

    More details: My company employ a third-party company that specializes in classifying products that are meant to be exported. After finding that out I submitted all of our app information to them and they decided that we did not fall under the export control umbrella.