Have you added or made changes to encryption

Question

Created Mar ’20

Replies 8

Boosts 0

Views 9.6k

Participants 2

Please help to understand how to answer "Export Compliance" questions. What people usually answer when submitting apps that using CommonCrypto and CloudKit

1-) Have you added or made changes to encryption features since your last submission of this app?

Export laws require that products containing encryption must be properly authorized for export. Failure to comply could result in severe penalties. Learn more about export requirements.

YES or NO

2-) Is your app designed to use cryptography or does it contain or incorporate cryptography? (Select Yes even if your app is only utilizing the encryption available in iOS or OS X.)

YES or NO

if question 2 YES

Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?

Make sure that your app meets the criteria of the exemption listed here. You are responsible for the proper classification of your product. Incorrectly classifying your app may lead to you being in violation of U.S. export laws and could make you subject to penalties, including your app being removed from the App Store. Read the FAQ thoroughly before answering the questions.

You can select Yes for question #2 if the encryption of your app is:

(a) Specially designed for medical end-use

(b) Limited to intellectual property and copyright protection

(c) Limited to authentication, digital signature, or the decryption of data or files

(d) Specially designed and limited for banking use or "money transactions"; or

(e) Limited to "fixed" data compression or coding techniques

You can also select Yes if your app meets the descriptions provided in Note 4 for Category 5, Part 2 of the U.S. Export Administration Regulations.

For additional guidance on exemptions, see the FAQ.

YES or NO

Boost

Answer 1

PBK OP

Mar ’20

I answer 'Yes' I use cryptography (https and OpenSSL for IAP receipt decoding) and 'Yes' it qualifies for exemption (because it's (c))

I have not submitted an annual report.

If this is wrong, I will ask for forgiveness. It's been 10 years.

1

Answer 2

juan luis OP

Mar ’20

Wow 10 years is a lot of time, is just trying to be saved and not ***** up. And you havent submit a report all that time?

0

Answer 3

PBK OP

Mar ’20

OptionPosition+ was first released in 2011. Nine years.

I only use encryption to sign things (to be sure they haven't been altered), to send NSURLRequest(s) through https, and to decode the receipt (using OpenSSL). Because I am not encrypting anything there is, IMHO, nothing to report. And this was certainly true when I started this. However, others have stated that, ITHO, a report is required even if all you are doing is sending NSURLRequests with https - because https is encoded. This new requirement is supposedly only be a few years old. I chose to disagree so I have not submitted a report.

0

Answer 4

juan luis OP

Mar ’20

I submit my app and was aseptetd, but im only using CloudKit for now, I still working on CommonCrypto data, so in the first cuestion thath they ask "Have you added or made changes to encryption features since your last submission of this app?" I anserd NO, haha. Do you thisnk that im going to be ok?

0

Answer 5

PBK OP

Mar ’20

I think you will be ok.

But....

you really should answer the questions to the best of your knowledge. Specifically, if you use encryption you should say that you use encryption and when asked whether you are exempt you should say that you are if you think you are exempt. When someone asks you to submit a report, you should submit a report.

It is one thing to fail to submit a report not knowing it is required; it is another thing to knowingly answer a question falsely.

IMHO.

0

Answer 6

juan luis OP

Mar ’20

Yes you right, next time i submit with Commoncrypto I will be more careful answering those questions.

0

Answer 7

juan luis OP

Mar ’20

Hey what about using ads? more specific Google admob, this will be a yes to answers? because is using HTTPS calls?

0

Answer 8

PBK OP

Mar ’20

See, it's like those speed limit signs. Have you ever gotten stopped for driving 58 MPH in a 55 MPH zone? No. That's https. How about 95 MPH in a 55 MPH zone? That's encrypting messages between Flynn and Yarevnichof.

0