
How to submit an app to Apple’s App Store when it uses encryption - pupeno
https://carouselapps.com/2015/12/15/legally-submit-app-apples-app-store-uses-encryption-obtain-ern/
======
pupeno
Last year I learned that to publish an app in the App Store or Mac App Store,
if it uses encryption of any kind and yes, HTTPS and SSL count, you need an
Encryption Registration (ERN) from the US Bureau of Industry (BIS). Some
people claim it's fine to lie to Apple, claim no use of encryption and get in
the app store. I'd rather do it the right way.

When I started the process of getting the ERN, I quickly notice it was going
to be a long and arduous process and that other people could benefit from the
lessons I was learning the hard way, so I decided to document it all in a long
blog post.

This is probably one of my most researched pieces ever. The whole process took
about two months from the start, researching this thing called ERN, to getting
the app published in the Mac App Store, satisfying that what I did was (more
or less) correct.

~~~
NamTaf
Holy crap that is a bureaucratic nightmare. Why does encryption even need to
be registered in the first place? I don't see any point beyond the holdover of
'encryption is munitions' which is a pile of crap in the first place.

~~~
chrischen
Encryptions is munitions. It is the modern day "arms" that that the spirit of
the 2nd amendment to the US constitution was trying to protect as a fail-safe
to an overreaching corrupted government.

We don't need to bear arms anymore because we don't walk around dueling people
at high noon anymore, but being an information based economy and information
based society, encryption is the new gun in the wild world web.

~~~
aftbit
We continue to need to bear arms of all sorts, equal to those that the
military uses. As you pointed out, the purpose of the 2nd amendment was to
avoid tyranny in a powerful central government. As long as the (federally
funded & led) military uses firearms, responsible civilians _must_ also keep &
bear them.

~~~
Pharaoh2
If that is so, then we have already lost. No firearm held by the citizens can
compete with the firepower of the military of today.

The spirit of the amendment may have been in the right place and surely worked
when the constitution was written but we live in a very different world now
and if you still think the an armed citizenry will avoid tyranny, you need to
go to youtube and see what the military can now do.

~~~
woah
Are you sure about that? Look at Iraq. Also, while soldiers in the military
might be fine oppressing a compliant populace, how many will jump ship if they
are forced to wage actual war on their countrypersons?

~~~
rail2rail
All fine and well until the drone army comes online.

Only half kidding.

------
weinzierl
At the same time Apple encourages the use of HTTPS with App Transport Security
(ATS).

    
    
       Starting in iOS 9.0 and OS X v10.11, a new security feature 
       called App Transport Security (ATS) is available to apps and is 
       enabled by default. It improves the privacy and data integrity 
       of connections between an app and web services by enforcing 
       additional security requirements for HTTP-based networking 
       requests. Specifically, with ATS enabled, HTTP connections must 
       use HTTPS (RFC 2818). Attempts to connect using insecure HTTP 
       fail. Furthermore, HTTPS requests must use best practices for 
       secure communications.
    
    

[https://developer.apple.com/library/ios/documentation/Genera...](https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html)

Does that mean that in the future nearly every App will need the ERN?

~~~
xedarius
This is a really interesting point, I was caught out by this during an update.
All of a sudden my REST client broke. Took a little digging to find out Apple
had enabled HTTPS by default.

Given this, it would seem odd that you would need to apply for an ERN (is this
true for app outside of the US?)

------
kpozin
I read this entire article thinking it was overly elaborate satire, but there
was no punch line at the end, and the links are actually valid.

The TP pool memo[1] in Neal Stephenson _Snow Crash_ seems sane by comparison.

[1] [http://soquoted.blogspot.com/2006/03/memo-from-
fedland.html](http://soquoted.blogspot.com/2006/03/memo-from-fedland.html)

------
metafunctor
Not everything that "just uses HTTPS" necessarily needs ERN. Here's "note 4"
which exempts a lot of apps: [http://www.bis.doc.gov/index.php/policy-
guidance/encryption/...](http://www.bis.doc.gov/index.php/policy-
guidance/encryption/identifying-encryption-items#Three)

A big part of our app was "sending, receiving, and storing information", so we
weren't sure this exemption would apply to us. So, we did the ERN anyway, and
it took a couple of days calendar time, and a couple of hours of working time,
IIRC.

By the way, nowhere does it say that using HTTPS is fine if you just use
Apple's APIs and frameworks. I don't think it's relevant here.

~~~
comex
> Note 4: Category 5, Part 2 _does not_ apply to items [...] meeting all of
> the following:

> (a) The primary function or set of functions is _not_ any of the following:
> [...]

> ...... (3) Sending, receiving or storing information ( _except_ in support
> of entertainment, mass commercial broadcasts, digital rights management or
> medical records management);

(Emphasis mine.)

Triple negative - now that's something. And DRM and the entertainment industry
gets a special case, isn't that great?

~~~
danieltillett
I would have thought that DRM is a loophole you can drive a truck through. As
long as any of your data is of value, you can claim the reason for encryption
is DRM. Even if you let the end user have access to all data, you could always
send some sort of DRM heartbeat.

~~~
_up
No loophole! It only count's if you exclusively need encryption for DRM. Not
for other stuff like, to protect your users chat communication for example.

~~~
danieltillett
I don't see the word exclusively. If you had a chat application you could
protect the user content by sending along a DRMed ping.

------
danieltillett
Great guide. If you are into these sort of guides of how to deal with the US
government I have written a couple for the W8-BEN-E form [1] (you need this if
you have any US customers) and also for registering to do business with the US
government [2]. These are biased towards Australians, but they should be
helpful for others too.

1\. [http://www.tillett.info/2015/06/20/how-to-
complete-w-8ben-e-...](http://www.tillett.info/2015/06/20/how-to-
complete-w-8ben-e-form-for-australian-companies/)

2\. [http://www.tillett.info/2015/12/01/how-to-register-an-
austra...](http://www.tillett.info/2015/12/01/how-to-register-an-australian-
company-for-business-with-the-usa-government/)

~~~
gulpahum
US customers here must mean that if you sell directly to US customers. If you
sell via App Store to end users in US, then this is not needed, because Apple
will be your customer (Apple Luxembourg for Europeans), not the end user.

~~~
danieltillett
Yes this is true, but lots of people sell directly to US customers. As soon as
you do you have problems :)

------
supergirl
Not specific to Apple. Same thing has to be done for any other app store, like
Google's. Some mentioned that there is an exception if you use OS libraries
for encryption. I think that's not the case, but I think using some third
party SDKs like Game Center (for which I guess the providers did the paper
work) is excepted.

~~~
a3_nm
> any other app store, like Google's

Not sure. This looks like a US-centric, bureaucratic thing. I doubt that
F-Droid [https://f-droid.org/](https://f-droid.org/) requires this kind of
nonsense when submitting apps.

~~~
supergirl
Yeah, that's true. I meant US company app stores. But some other countries
have these kinds of rules. I know of France.

------
Pirate-of-SV
How is this different from Android apps distributed through Google Play?
Legally I mean, why don't Google Play do the same thing?

~~~
pupeno
Apple requires the ERN because Apple is very US centric. For Google, there
might be cases in which the ERN is not required because the app never leaves
the US (because for other countries it comes from other countries).

Apple is required the ERN to cover their asses, I believe. The ERN is required
by the US government, so, if you don't have it, you are breaking the law
whether you are using Google Play or Apple. So, you should get it for Google
Play too.

~~~
pupeno
To add to that, maybe Apple is more liable because of their promises to check
for quality and problems in the store, while Google allows more things in it.
That just means a change for them, you, as the app maker, are always liable.

------
jevinskie
If I inform everyone that their iOS app uses AES, SHA-1, and RSA at the lowest
level (codesign and Fairplay DRM), does everyone have to register? I think a
plain reading of the question poised by Apple would require a "Yes" answer.

~~~
kalleboo
There's an exception in the law for DRM

------
mapmap
For cross reference, here is another list of steps based on our experience. It
took about 3 days.

[https://www.chatmap.io/blog/iPhone-iTunes-ERN-
Encryption.php](https://www.chatmap.io/blog/iPhone-iTunes-ERN-Encryption.php)

------
jarek-foksa
Which cryptographic algorithms are included in Atom Electron and NW.js
frameworks? Does the page [1] list all of them?

[1]
[https://www.chromium.org/blink/webcrypto](https://www.chromium.org/blink/webcrypto)

------
fowl2
ignoring anything else, that process seemed pretty smooth to me, esp for
government. Sure you hit a few snags, but the main one (a lost email) could've
happened signing up anywhere.

~~~
pupeno
I think the process had two issues. The main one being several steps that
though simple, were not specified anywhere, so, figuring them out took a lot
of time and phone calls. It's like someone tells you to drive from point A to
B, that's easy, but they don't tell you were the car is.

The second problem was a lot of jargon that was in my opinion unnecessary and
was internal US government leaking to the end users and you had to learn it to
understand the documentation about what to do. Figuring out what SNAP-R stood
for took me way to long and it's nothing more than a website registration
(from my point of view).

------
robert_foss
How does this apply to non-US based app publishers?

Am I legally exporting crypto from the US if am not in the US?

~~~
asherkin
Yes, this is explained in Apple's FAQ on the issue - they have servers that
are distributing your app from the US, thus you are exporting crypto from the
US.

------
rewqfdsa
Don't you wish you hadn't surrendered software distribution authority to a
single faceless corporate party? When nobody tried to demand bullshit crypto
paperwork?

Remember when you could distribute software yourself without getting
threatened[1]? Remember when platform vendors didn't take a 30% cut of
everything you earned just because they wrote an OS? Not even Microsoft was
that evil.

I hope you enjoy the world you've built, hipsters.

[1] See the f.lux Apple distribution debacle

~~~
hundchenkatze
This is unrelated to Apple and it's AppStore. Even if you sold this on your
own, you'd be subject to the same rules.

[https://www.bis.doc.gov/index.php/policy-
guidance/encryption](https://www.bis.doc.gov/index.php/policy-
guidance/encryption)

~~~
mikeash
There is an important difference, though. Small companies and individuals
often fly under the radar of wacky bureaucratic rules like this, whereas big
companies are more visible and are stuck with them. By routing all the small-
timers through a big company, they can no longer do that.

You might say, small companies _should_ be following these rules regardless so
this is just as well. And I'd probably agree. But it's still a pretty big
difference.

