
Setting Up SSL for an iPhone App - Hiding From Firesheep... - sahillavingia
http://appgoal.posterous.com/setting-up-ssl-for-use-with-an-iphone-app-pro
======
d_r
Unfortunately using encryption (like SSL) in your iPhone application
_generally_ subjects you to export compliance restrictions. This involves
filing government forms and waiting some weeks.

Sample process for filing forms outlined:
[http://zetetic.net/blog/2009/08/03/mass-market-encryption-
co...](http://zetetic.net/blog/2009/08/03/mass-market-encryption-commodity-
classification-for-iphone-applications-in-8-easy-steps/)

There is an exception of "for purposes of authentication" but I'm not sure if
it helps if you're _always_ using SSL. Would be interesting to have someone
chime in here.

~~~
Udo
SSL is classified "in the public domain" as defined by the Wassenaar
Arrangement and as such is not subject to export restrictions. The question
remains if Apple honors this in their notoriously arbitrary review process,
but as far as I can tell SSL is safe.

<http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html>

~~~
coffee
I think it comes down to the question of; if you're passing data over a secure
channel (SSL), does that fall within the U.S. governments compliance
requirements. mickdj had a link with a comment in it discussing this:
[http://stackoverflow.com/questions/2135081/does-my-
applicati...](http://stackoverflow.com/questions/2135081/does-my-application-
contain-encryption/2341310#2341310) although, it's from earlier this year...

~~~
Udo
People are allowed to bundle SSL implementations in their apps without being
subject to export restrictions. I don't think it matters whether you call
Apple's API to issue an HTTPS request on your behalf or whether you ship the
library yourself, the latter of which is definitely legal because big-time
software such as Firefox or Apache would have been sued out of existence a
long time ago if it wasn't. Now, Apple (and possibly the government) might
decide to see it differently, but this is the letter and spirit of the
international agreement governing crypto export.

~~~
dangrossman
Sued out of existence? The process of exporting encryption software isn't
_that_ difficult. Fill out a form, send a copy of your source code to the NSA
and you're done, generally. 10 minutes. That's second hand information but
sounds reasonable to me given how much software uses encryption in some way.

~~~
Udo
Because if crypto export regulations actually were applied to SSL in practice,
they'd have to prevent Apache and Firefox from getting into countries on the
E:1 list, and possibly D:1 as well. And personally, I don't know any https-
supporting website owner who ever filled out the mother-may-I crypto form.

(see <http://www.gpo.gov/bis/ear/pdf/740spir.pdf>)

------
mickdj
You may want to look at:

[http://stackoverflow.com/questions/2135081/does-my-
applicati...](http://stackoverflow.com/questions/2135081/does-my-application-
contain-encryption)

[http://blog.theanimail.com/iphone-encryption-export-
complian...](http://blog.theanimail.com/iphone-encryption-export-compliance-
for-apps)

~~~
coffee
Interesting... This may account for the large number of app's not using SSL. I
wasent aware that this was considered part of the export compliance.

These articles appear to be from earlier this year, I'm curious if these
restrictions still apply...

------
sahillavingia
A great example of taking something relevant in the news and applying it to
your project/business.

Great stuff.

