Last year I learned that to publish an app in the App Store or Mac App Store, if it uses encryption of any kind and yes, HTTPS and SSL count, you need an Encryption Registration (ERN) from the US Bureau of Industry (BIS). Some people claim it's fine to lie to Apple, claim no use of encryption and get in the app store. I'd rather do it the right way.
When I started the process of getting the ERN, I quickly notice it was going to be a long and arduous process and that other people could benefit from the lessons I was learning the hard way, so I decided to document it all in a long blog post.
This is probably one of my most researched pieces ever. The whole process took about two months from the start, researching this thing called ERN, to getting the app published in the Mac App Store, satisfying that what I did was (more or less) correct.
Holy crap that is a bureaucratic nightmare. Why does encryption even need to be registered in the first place? I don't see any point beyond the holdover of 'encryption is munitions' which is a pile of crap in the first place.
Encryptions is munitions. It is the modern day "arms" that that the spirit of the 2nd amendment to the US constitution was trying to protect as a fail-safe to an overreaching corrupted government.
We don't need to bear arms anymore because we don't walk around dueling people at high noon anymore, but being an information based economy and information based society, encryption is the new gun in the wild world web.
We continue to need to bear arms of all sorts, equal to those that the military uses. As you pointed out, the purpose of the 2nd amendment was to avoid tyranny in a powerful central government. As long as the (federally funded & led) military uses firearms, responsible civilians _must_ also keep & bear them.
When everyone has guns, the police have to have guns. Not only that, they're scared. All The Time. Traffic stop? Might have a gun. Stop and search? Might have a gun.
One fuck up and you've got death, permanent pain, or some other outcome that's pretty fucking unpalatable. (I assume that at least cops in the US have gold plated health insurance...?)
Here is my question. How much of the problem endemic to US police is on account of a culture of fear. Citizens should not fear the police, but that works both ways.
If that is so, then we have already lost. No firearm held by the citizens can compete with the firepower of the military of today.
The spirit of the amendment may have been in the right place and surely worked when the constitution was written but we live in a very different world now and if you still think the an armed citizenry will avoid tyranny, you need to go to youtube and see what the military can now do.
Are you sure about that? Look at Iraq. Also, while soldiers in the military might be fine oppressing a compliant populace, how many will jump ship if they are forced to wage actual war on their countrypersons?
I believe the right to bear arms has been interpreted not only to mean the individual right to own and operate firearms, but also the right to form militias, or paramilitary organizations.
It is unlikely for a paramilitary organization to compete with the armed forces, but in a state where the country is stressed and divided, I don't think the armed forces would stand as a fully united organization. However, while I do concede that my argument is weak, I also assert that it is not nil.
If you really wanted to oppose the government you'd encrypt your communications. Clearly that's s greater threat since government so vehemently wants to deny that (it's in their self interest to increase their power).
What citizens lack in firepower they make up in numbers. Just the 12.5 million registered hunters in the United States exceed the number of active duty military by an order of magnitude.
There is no possible way that the military of today, with all its tanks and bombs and drones and planes, could even attempt to hold any large portion of America under martial law.
The purpose of the second amendment was to avoid tyranny in a powerful central government _over the individual states_. The current (2008) Supreme Court interpretation of the second amendment is controversial because it largely ignores the "well regulated militia" text.[0]
Interpreting the "well regulated militia" text as limiting the right to state militias is an anachronistic, twentieth century attempt to read modern sensibilities into the text. In the eighteenth and nineteenth centuries it wasn't even a debate: the right of individuals to bear arms was understood simply to be the manifestation of their natural right to self defense. Consider texts contemporaneous with the constitution and written in similar places:
Pennsylvania State Constitution, 1776: "The right of the citizens to bear arms in defense of themselves and the State shall not be questioned."
New Hampshire State Constitution, 1783: "All persons have the right to keep and bear arms in defense of themselves, their families, their property and the state."
And, of course, the second amendment itself: "A well regulated militia being necessary to the security of a free state, the right of the people to keep and bear arms shall not be infringed."
This classification might by a blessing in disguise.
The supreme court disagrees with you (see District of Columbia vs. Heller) re your need to bear firearms. But if encryption is the new firearm, that might be an important ruling for crypto.
Because you might be exporting it to an un-friendly country.
Don't try to apply logic here -- "But can't they just compile openssl or just use Linux!? or some library..." -- this is government contracting and security world, regular logic doesn't work here.
For exporting to friendly countries via App Store, you'll need an ERN. I'm not sure if the App Store will accept submission from unfriendly countries. It depends which one I guess.
Apple itself probably doesn't really care. Just needs to cover its ass in case Uncle Sam looks and asks questions. They can now say "We have enabled these checks and features on our side".
Throughout the process I found left-overs from the previous processes and yes, it looked much worse. The worst part for me is that there were steps in the process than though simple, they were not defined anywhere and thus it required me calling various departments to ask for clarifications.
Bureaucratic nightmare? Don't you think that's an exaggeration? Sure, the government's web site UX is atrocious, but at the end of the day, it's just a couple of web forms and E-mail verification, similar to signing up for any web site. Try to legally immigrate to the U.S. and then come back and tell me that this web site is a "bureaucratic nightmare".
I agree that US migration processes are a bureaucratic nightmare also. I don't think it's an exaggeration when I phrase the term as 'overly unnecessary bureaucratic process that causes people incredible frustration'.
Note that the OP said that the list was the effort of months of trying to understand and negotiate the system. Just because it appears to be 'a couple of web forms and email verification', it's in no way similar to signing up for a web site because it's behind so much opacity. You can't judge the effort involved in producing something simply by its final output.
I'm far from an expert on this area, but I know there are exemptions many apps can qualify for. The most notable of these is that the encryption is limited to authentication [1].
I talked to a couple of people at Apple and they explicitly told me that use of HTTPS is not covered under the exception. I think that exception was designed to authenticate licences of software. Programs that phone home, get a toke, and decrypt it to verify you paid for it, but that's just a hypothesis.
I'm pretty sure "limited to authentication" means that the data is transmitted in the clear but covered by a signature. HTTPS actually encrypts, so it wouldn't count.
Could you not also argue that ongoing use of HTTPS after authenticating yourself with the server is to ensure the response is coming from who you intend (i.e., the server authenticating itself to you)?
IANAL, but if you assume law matches cryptographic reality: there's such a thing as the NULL cipher, which most SSL stacks don't support (at least by default) because it's a big footgun. It will let you have traffic that's authenticated but not encrypted.
Back when I was doing hobbyist iOS development (2009-ish) I asked Apple developer support about this, and they said it does. Worst part is it doesn't matter if you use a built-in system library like NSURLSession. Simply accessing an HTTPS URL from inside your app triggers this requirement.
Some people say the paperwork is easy to fill out yourself, but I was a college student and the legalese scared the crap out of me. And there was no way I could afford to consult a lawyer for a hobby project.
My only choice was to use plaintext HTTP for my app (which I wasn't willing to do for this particular app), or to restrict the app to the US and Canada, which doesn't require a government filing. I hated doing it, but I went with option two.
That cannot possibly be true. I guarantee you virtually every REST app in the store uses HTTPS and none of them went through all of this. In the latest version of iOS you can't even load HTTP by default and must use HTTPS unless you put a special exception in your Info.plist. Everybody uses HTTPS, and nobody has to go through any of this.
So either you asked the wrong question, misinterpreted the answer, or you simply talked to someone who didn't understand your question or otherwise just didn't know themselves.
It's quite likely they don't enforce it very well.
I specifically asked them if using NSURLConnection (the standard, built-in URL library before NSURLSession) to access a URL over HTTPS qualified under the registration requirements. They told me, in no uncertain terms, that using any cryptography, including cryptography built into the operating system, meant I needed to register if I wanted to export the app outside of the US and Canada. I promise you, I didn't misinterpret. Though as you say, it's very possible the person I spoke to was wrong, or that their interpretation of the law was overly cautious and they've changed their policies.
I suspect the distinction is that the cryptography for encrypting and signing apps is done by Apple (and they've done all the paperwork for themselves).
They don't enforce it at all. Not even the US BIS really looks at your application to approve it as far as I can tell, because mine was approved instantly. They do have a lot of checks to make sure the record of your company and app are somewhat well formed.
When it comes to Apple, they don't check for this, they just want you to be on the record with either an ERN or the claim of no encryption, so that it's not their fault if the US government comes and says "hey, about all those apps you are exporting, are they using munition-level tech?"
I'm not disagreeing with you, I'm pointing out that querying a RESTful page with any of the C, R or U parts of the CRUD process would involve transacting information, so you basically need to keep it as HTTP.
I don't disagree with you, either. But I'm pretty sure the legislative intent is to be able to thwart encryption in, say, instant messaging apps. Because terrorism, national security, etcetera. I don't agree with the means (it's futile), but being able to wiretap communications between people is the intent here as far as I can tell.
It's quite simple to implement an instant messaging app on top of CRUD, so "it's just CRUD" is not a valid counter against this type of politics.
I understand the intent, my point is that there's very few situations where you are not transmitting information if you have any connectivity whatsoever, so the law appears overly ambiguous and far-reaching. It should be more specific about its aims.
> That cannot possibly be true. I guarantee you virtually every REST app in the store uses HTTPS and none of them went through all of this.
Then they're breaking the law. Which is unsurprising, since the law is way more complicated than anyone expects, but unless you have a lawyer who has said "No, that's clearly not what the law means," you shouldn't expect that the law is sensible.
This is true, and I think a lot of this applications are breaking the rules. You can easily claim your app doesn't use encryption and Apple will accept it. They don't check to see whether it does or doesn't use encryption. But should something happen, Apple is clear of guilt because they asked you and you would be the one producing a false statement.
I read a lot of blog posts and looked at a lot of information and there's a general advice of "just pretend not to use encryption" or "https doesn't count" which is just wishful thinking from people that didn't want to use ERN and when you go dig deep enough it doesn't hold any water.
Thank you! It is definitely a misinterpretation. Apple makes https mandatory now and there is no way every developer would have to go through this process.
Why do you say there's no way? This is US law, not Apple's policy, and US law is fully capable of being that dumb. (Whether Apple allows developers to lie to Apple and violate US law is beside the point.)
Debian's archive software used to send an automated mail to the US government every time a new package is accepted, just in case it involves crypto:
(Looks like the government told them "Okay, okay, we don't care" at some point, but that was what they determined their legal obligation was after consulting with lawyers about what the law actually said.)
If you are pulling through http and http only, yes. If you are using HTTPS, you are encrypting the requests that may contain arbitrary amount of data and the exception doesn't apply to you anymore.
I'm beginning to wonder if the ACTUAL policy Apple is trying enforce w.r.t. HTTPS is if you were to roll your own suite of encryption tools (i.e. as opposed to using the OS's TLS/SSL implementations).
That would be far more reasonable. Especially considering, with iOS 9, HTTPS is now the default configuration for all traffic.
Yes, it does. I talked to legal as well as export compliance department at Apple and they confirmed this. Maybe they were being overly cautious but so was I.
With HTTPS, what puts you clearly out of every potential exception, is the fact that you are encrypting the requests. Someone asked about this in the blog and I replied with more information.
you'd think that this is a pretty frequently asked question though, no? how could apple dev support personnel not understand/answer basic questions that affect a significant portion of apple devs?
On advice of counsel, or on the intuition that the US government's laws about crypto cannot possibly be that dumb? Because yes, the laws are in fact that dumb.
I talked to the export compliance department at Apple. There's a chance that they say "yes, get an ERN" because they have nothing to lose and it's safer for them and in fact, there's no need for it. But I doubt it. I will consult a lawyer to make sure my whole process is good if people want me to get ERNs from them (an idea some people floated with me).
This seems to be only for US based developers, I can't remember having to fill in more then a handful of radio buttons regarding crypto when I submitted an iOS app as a Dutch developer.
Were you using the built in web capabilities or embedding a library to handle the encryption? In theory Apple's methods for accessing HTTPS should be safe while embedding OpenSSL would not be (unless you linked to a shared object they deployed).
I don't think it matters where the encryption capability comes from.
The iTunes Connect FAQ says: “If your app uses, accesses, implements or incorporates industry standard encryption algorithms other than those listed as exemptions under question 2, you need to submit for an ERN authorization. Examples of standard encryption are: AES, SSL, https.”
There are a lot of exemptions, but only using Apple's HTTPS is not one.
Sounds like Apple is the cause here, since export restrictions don't apply to things that are never exported. If you aren't embedding the algorithm then your code is not exporting the algorithm.
Yeah, I'd like to see this answered too. If OP was just using the built in WebKit browser this seems to have all been a big misinterpretation of the rules. If they did indeed roll their own browser with HTTPS, why?
The post is a very good guide to navigating that bureaucratic process either way though.
I think I remember reading that if you're using Apple's APIs and frameworks (like their builtins for HTTPS) then you don't need to go through this rigmarole.
I've always interpreted "(ii) your app uses, accesses, implements or incorporates encryption for authentication only" as our uses cases for using HTTPS and thus said that I am exempt.
Unless you are using HTTPS with NULL encryption algorithm, your bytes are encrypted and decrypted, so it's not "authentication only". I think that you can use NULL encryption algorithm and in this case only authentication will be performed. But I'm not sure that standard library will allow to use this algorithm.
At the same time Apple encourages the use of HTTPS with App Transport Security (ATS).
Starting in iOS 9.0 and OS X v10.11, a new security feature
called App Transport Security (ATS) is available to apps and is
enabled by default. It improves the privacy and data integrity
of connections between an app and web services by enforcing
additional security requirements for HTTP-based networking
requests. Specifically, with ATS enabled, HTTP connections must
use HTTPS (RFC 2818). Attempts to connect using insecure HTTP
fail. Furthermore, HTTPS requests must use best practices for
secure communications.
This is a really interesting point, I was caught out by this during an update. All of a sudden my REST client broke. Took a little digging to find out Apple had enabled HTTPS by default.
Given this, it would seem odd that you would need to apply for an ERN (is this true for app outside of the US?)
A big part of our app was "sending, receiving, and storing information", so we weren't sure this exemption would apply to us. So, we did the ERN anyway, and it took a couple of days calendar time, and a couple of hours of working time, IIRC.
By the way, nowhere does it say that using HTTPS is fine if you just use Apple's APIs and frameworks. I don't think it's relevant here.
> Note 4: Category 5, Part 2 does not apply to items [...] meeting all of the following:
> (a) The primary function or set of functions is not any of the following: [...]
> ...... (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management);
(Emphasis mine.)
Triple negative - now that's something. And DRM and the entertainment industry gets a special case, isn't that great?
I would have thought that DRM is a loophole you can drive a truck through. As long as any of your data is of value, you can claim the reason for encryption is DRM. Even if you let the end user have access to all data, you could always send some sort of DRM heartbeat.
No loophole! It only count's if you exclusively need encryption for DRM. Not for other stuff like, to protect your users chat communication for example.
Great guide. If you are into these sort of guides of how to deal with the US government I have written a couple for the W8-BEN-E form [1] (you need this if you have any US customers) and also for registering to do business with the US government [2]. These are biased towards Australians, but they should be helpful for others too.
US customers here must mean that if you sell directly to US customers. If you sell via App Store to end users in US, then this is not needed, because Apple will be your customer (Apple Luxembourg for Europeans), not the end user.
Not specific to Apple. Same thing has to be done for any other app store, like Google's.
Some mentioned that there is an exception if you use OS libraries for encryption. I think that's not the case, but I think using some third party SDKs like Game Center (for which I guess the providers did the paper work) is excepted.
Not sure. This looks like a US-centric, bureaucratic thing. I doubt that F-Droid https://f-droid.org/ requires this kind of nonsense when submitting apps.
That is correct. It applies whenever a computer program goes from US soil to non-US soil. Wether it's Apple's App Store, Google Play or carrier pigeon, it's the same.
Apple requires the ERN because Apple is very US centric. For Google, there might be cases in which the ERN is not required because the app never leaves the US (because for other countries it comes from other countries).
Apple is required the ERN to cover their asses, I believe. The ERN is required by the US government, so, if you don't have it, you are breaking the law whether you are using Google Play or Apple. So, you should get it for Google Play too.
To add to that, maybe Apple is more liable because of their promises to check for quality and problems in the store, while Google allows more things in it. That just means a change for them, you, as the app maker, are always liable.
If I inform everyone that their iOS app uses AES, SHA-1, and RSA at the lowest level (codesign and Fairplay DRM), does everyone have to register? I think a plain reading of the question poised by Apple would require a "Yes" answer.
ignoring anything else, that process seemed pretty smooth to me, esp for government. Sure you hit a few snags, but the main one (a lost email) could've happened signing up anywhere.
I think the process had two issues. The main one being several steps that though simple, were not specified anywhere, so, figuring them out took a lot of time and phone calls. It's like someone tells you to drive from point A to B, that's easy, but they don't tell you were the car is.
The second problem was a lot of jargon that was in my opinion unnecessary and was internal US government leaking to the end users and you had to learn it to understand the documentation about what to do. Figuring out what SNAP-R stood for took me way to long and it's nothing more than a website registration (from my point of view).
Yes, this is explained in Apple's FAQ on the issue - they have servers that are distributing your app from the US, thus you are exporting crypto from the US.
Don't you wish you hadn't surrendered software distribution authority to a single faceless corporate party? When nobody tried to demand bullshit crypto paperwork?
Remember when you could distribute software yourself without getting threatened[1]? Remember when platform vendors didn't take a 30% cut of everything you earned just because they wrote an OS? Not even Microsoft was that evil.
I hope you enjoy the world you've built, hipsters.
There is an important difference, though. Small companies and individuals often fly under the radar of wacky bureaucratic rules like this, whereas big companies are more visible and are stuck with them. By routing all the small-timers through a big company, they can no longer do that.
You might say, small companies should be following these rules regardless so this is just as well. And I'd probably agree. But it's still a pretty big difference.
When I started the process of getting the ERN, I quickly notice it was going to be a long and arduous process and that other people could benefit from the lessons I was learning the hard way, so I decided to document it all in a long blog post.
This is probably one of my most researched pieces ever. The whole process took about two months from the start, researching this thing called ERN, to getting the app published in the Mac App Store, satisfying that what I did was (more or less) correct.