Disclaimer: this article is now obsolete as the rules have changed, please don’t waste your time reading it.

Disclaimer: I am not a lawyer, this is not legal advice. 


There’s a lot of conflicting information out there about whether you need an ERN or not to publish an app in the App Store. I spoke to Apple representatives as well as various employees of a couple of US agencies. As painful as it is, if your app is capable of the simplest, most standard, of encryptions such as SSL/HTTPS then you need to answer your export compliance questions like this:

The conclusion from selecting the above answers:

To make your app available on the App Store, you must submit a copy of your U.S. Encryption Registration (ERN) approval from the U.S. Bureau of Industry (BIS).

In some places, you’ll see CCATS instead of ERN. I’m not 100% sure, but it seems CCATS was a previous more bureaucratic version of the ERN. Right now, what you need is an ERN and this is our journey to get it. We are publishing as much detail as possible so that you can replicate it for your own application. There are some other blog posts that explain how to do it, but we found that over the years, some of the steps changed and we had to find a new path. Since this is going to happen again, we are adding as much information as possible so that should your path be slightly different, you won’t have much trouble finding your way through it.

Starting at the beginning

After being utterly confused by both Apple’s as well as BIS’ FAQ and how to pages, I decided to go the homepage for the Bureau of Industry and Security and see where it took me:

At this point I new SNAP-R was relevant to my needs. I was almost under the impression of needing one, even though I didn’t know what it was. Going through that page I found this:

Yes! I’d like to submit an application (SNAP-R) – fourth item in the list. That takes you to this page: http://www.bis.doc.gov/index.php/licensing/simplified-network-application-process-redesign-snap-r, which defines what a SNAP-R is. It stands for Simplified Network Application Process – Redesign. I think a SNAP-R is sort of an account with the BIS. There’s no mention of ERN in that page, but it says:

You must have a Company Identification Number (CIN) and an active user account to access SNAP-R. The procedures and requirements for obtaining a CIN and user account are set forth below.

You need to obtain a CIN before you can proceed. If you scroll all the way to the bottom of the page, you’ll see:

And that link, ladies and gentlemen, is the most promising I’ve seen so far. It takes you to https://snapr.bis.doc.gov/registration/Register.do which looks like this:

The SNAP-R Company Registration process

After completing and submitting that form you’ll get an email to confirm your email address. I recommend limiting yourself to ASCII characters here, as the é and á in my name got mangled. That email took only a few minutes to arrive but the confirmation page claims the next step might take up to five days:

Some people claim to have been finished in 30 minutes or even less. I suppose it depends where you or your company is located. In my case, the five days elapsed so I sent them an email and two days later I got a reply telling me to call their support number: +1-202-482-2227 (later on I learned that another phone number that might help is +1-202-482-0707). When I talked to a representative, he said that I should have received the activation email already and just re-triggered it. Maybe calling them after a couple of days would have been a good approach to speed things up. Shortly after my call I got this email:

That link takes you to a page to set up your log in and password:

After entering those details, voila! you have an account:

You may now log in:

After logging in, you are now in your SNAP-R Home page:

Creating a new work item within your SNAP-R account

The next step is to create a new work item, which you can do from the sidebar. That takes you to a page that looks like this:

The type of work item that you want, to be able to distribute apps with encryption, is an Encryption Registration:

Now, about the Reference Number, the question mark next to it sends you to https://snapr.bis.doc.gov/snapr/docs/fieldHelp.html#NewWrkItem1 where it says:

Enter a valid reference number for the Work Item. Reference numbers must be in the format “AAA1111”.

which didn’t really answer what a reference number is. I decided to call them again and when I asked the question they put me on hold for 25 minutes. I hung up, called them again and I was speaking with someone else in less than 3 minutes and she answered. The reference number is just something you make up, for yourself. It’s not something you obtain and it seems as long as you follow their convention, it’s fine:

After creating the work item, you are invited to edit it. It starts partially populated and it’s straight forward:

Well, it’s straightforward until the last part: Documents. You need to attach the Encryption Registration Supplement No. 5 to Part 742.

Creating the Encryption Registration Supplement

Creating the supplement, thankfully, is easier than it looks; that is, when you know what you have to do. There’s a document number 742 that you can download from https://www.bis.doc.gov/index.php/forms-documents/doc_download/1208-742 and  on page 60 it has the Supplement No. 5: Encryption Registration. These are the contents of that page:

SUPPLEMENT NO. 5 TO PART 742 - ENCRYPTION REGISTRATION

Certain classification requests and self-classification reports for encryption items must be supported by an encryption registration, i.e., the information as described in this Supplement, submitted as a support documentation attachment to an application in accordance with the procedures described in §§ 740.17(b), 740.17(d), 742.15(b), 748.1, 748.3 and Supplement No. 2 to part 748 of the EAR.

(1) Point of Contact Information
  (a) Contact Person
  (b) Telephone Number
  (c) Fax Number
  (d) E-mail address
  (e) Mailing Address
(2) Company Overview (approximately 100 words).
(3) Identify which of the following categories apply to your companys technology/families of products:
  (a) Wireless
    (i) 3G cellular
    (ii) 4G cellular/WiMax/LTE
    (iii) Short-range wireless / WLAN
    (iv) Satellite
    (v) Radios
    (vi) Mobile communications, n.e.s.
  (b) Mobile applications
  (c) Computing platforms
  (d) Multimedia over IP
  (e) Trusted computing
  (f) Network infrastructure
  (g) Link layer encryption
  (h) Smartcards or other identity management
  (i) Computer or network forensics
  (j) Software
   (i) Operating systems
   (ii) Applications
  (k) Toolkits / ASICs / components
  (l) Information security including secure storage
  (m) Gaming
  (n) Cryptanalytic tools
  (o) “Open cryptographic interface” (or other support for user-supplied or non-standard cryptography)
  (p) Other (identify any not listed above)
  (q) Not Applicable (Not a producer of encryption or information technology items)
(4) Describe whether the products incorporate or use proprietary, unpublished or non-standard cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body. (If unsure, please explain)
(5) Will your company be exporting “encryption source code”?
(6) Do the products incorporate encryption components produced or furnished by non-U.S. sources or vendors? (If unsure, please explain)
(7) With respect to your companys encryption products, are any of them manufactured outside the United States? If yes, provide manufacturing locations. (Insert “not applicable”, if you are not the principal producer of encryption products) 

All you have to do is create a PDF file answering these questions for your application and upload it. I couldn’t find this information anywhere so I called them once again and that’s how I learned that all matters related to encryption were handled by the department… never mind the name, the phone number is +1-202-482-0707. Next time I’m calling them directly – there was no wait, no menu, just a person picking up the phone.

I created a document for my case saying:

Screensaver Ninja Encryption Registration Supplement No. 5 to Part 742
(1) Point of Contact Information
  (a) José Pablo Fernández Silva
  (b) +44XXXXXXXX
  (c)
  (d) pupeno@carouselapps.com
  (e) 20-22 Wenlock Road, London, N1 7GU, United Kingdom
(2) Carousel Apps is a small London based company producing software apps such as Screensaver Ninja. Our main use of encryption (and so far all of it) is the standard SSL (https), OpenSSH, etc. You can learn more about us at https://CarouselApps.com
(3) We produce
  (j) Software
    (ii) Applications
(4) Our products use standard off the shelf encryption libraries and tools, such as https (SSL). We don’t develop or intend to develop any proprietary encryption mechanisms
(5) We don’t plan on exporting “encryption source code”.
(6) Screensaver Ninja uses Apple’s Safari component that allows https encrypted communication. This is provided by Apple. I understand that Apple uses OpenSSL which is an open source project and thus may have contributions from all around the world.
(7) We produce software, so, no manufacturing process are involved. All our software is produced outside the United States. The reason for this application is to distributed an app through Apple’s App store. 

I cannot vouch for this content, I’m not sure this is the appropriate file to submit, this is only what I did. The next step is to click on “View and Manage Supporting Documents” which will take you to a page that looks like this:

There, click “Upload Supporting Document” and you’ll be greeted by this form:

I just came up with a title and keywords, entered the current date and my name as author. I think the only really important field is the document type:

Submitting the ERN

With that document in place and attached, we seem to have passed some sort of automatic verification procedure.

I clicked on “Preview Work Item to Submit” and I was given a last chance to look at the application and verify its correctness:

The submission process, triggered by the “Submit” button of course, asks you for your name, in a special format, one more time:

And we you click “Submit Work Item” you are done:

Uploading Encryption Registration to Apple

I almost immediately got a message in the SNAP-R website:

And the message was the acceptance of the application including the ERN code (blacked out):

That is the document you need to upload to Apple. Take a screenshot of that page and save it for your records. Back at Apple’s iTunes connect, when you answer the questions stating that you use encryption, you get an upload box for the document:

If the upload button doesn’t appear, this is what an Apple representative suggested: “If you do not see the prompt, there could be a glitch in the website. One possible workaround is to change the answer to question 4 to “Yes”. By doing this the upload field should appear.”

Once you upload it, the “Submit” button will become enabled and you are ready to rock. Click it and your app will be on its way to fame and fortune. Well… that is… after they review your export compliance. For now, your app will be “Waiting for Export Compliance”:

From Apple’s version statuses, that means: “Your app is reviewed and ready for sale, but your CCATS file is in review with Export Compliance.” CCATS seems to be an older or bigger version of the ERN and in some places we can still find CCATS instead of ERN. Don’t worry, an ERN is all you need if your situation is similar to mine. When the status reaches to “Waiting for Review”:

Congratulations! Your ERN was accepted.  You are done with this bit of bureaucracy.

If this blog post was useful or you find differences in the process, please, let us know in the comment section.

Picture by Yuri Samoilov


79 responses to “How to legally submit an app to Apple’s App Store when it uses encryption (or how to obtain an ERN)”

  1. Eric Avatar
    Eric

    Apple doesn’t use OpenSSL any more. They use CommonCrypto.

  2. John Avatar
    John

    This article was a life saver for me. Thanks so much for taking the time to post it.

    1. Pablo Fernández Avatar

      I’m glad it was useful!

      1. simone Avatar
        simone

        Thank you!

  3. Andrew C Avatar
    Andrew C

    I don’t know how or why your app requires encryption, and of course I’m not a lawyer. I’m also wondering (maybe a comment for the other article linked at the top) how sure are you that using https violates the terms? The list of allowed exceptions stated by Apple make it clear to me “(c) Limited to authentication, digital signature, or the decryption of data or files” is a pretty broad definition where decrypting https traffic would fit.

    If you were on the App Store (somewhere around) pre iOS 5 then the ERN used to be required even for https traffic but ever since they added the exceptions I haven’t seen anybody get denied for using it.

    I’m happy to be wrong but you are making some strong statements, without much else than a few google searches under the belt (if i didn’t miss something). I just want to be certain.

    1. Pablo Fernández Avatar

      Thank you for your questions Andrew. I actually called Apple several times and had a few email conversations with various departments including legal, export and compliance, etc.

      My app, Screensaver Ninja, uses HTTPS because it’s essentially a browser. The user may type https or a page may redirect to https and the app just follows through.

      When you use HTTPS, you are not just decrypting data, you are also encrypting your requests (it’s asymmetric encryption and if you have perfect forward secrecy you’ll be generating new keys constantly, which might strengthen the claim that you are encrypting data). I’m not entirely sure if you can claim this exception if you use HTTPS only for authentication, that is, sending user and password, and then drop to HTTP. But that is an incredible insecure thing to use as the cookie is transmitted in plain text and anybody in the middle can grab it and pretend to be you.

      I’m not exactly sure what that exception clause was made for, but I believe it’s there for enforcing licensing. When an application (I mean the general term, not Apple’s) wants to verify that you have a proper licence to use it, they normally ask you for the licence code and then decrypt a file with it, or decrypt it with a key or some other form of verification. Sometimes they talk to a server to verify your licence. I think those cases are covered by this exception and this was the intended case for this exception. But I’m not really sure.

  4. hafizan Avatar

    thanks.. i in development cordova apps.. yes encryption is there on https and user validation.Are it mean it to.. dam. if so..

  5. Thomas Staudinger Avatar

    Wow, that is an insane amount of bureaucracy for something as modern and sleek as an App, I will certainly add this post to my favourites in case I ever have to go through this^^

  6. Dennis Avatar
    Dennis

    Wow! Thanks! I didn’t know there is this requirement for using HTTPS.

    A question: is it a one off registration per company? I.e. once you obtained a registration for the company it would apply to all your apps submitted (iOS, OSX, Android, etc, etc)? Or it is a “per-app” registration – done everytime you have a new app?

    1. Pablo Fernández Avatar

      It asks you about the app, but also about the company and it seems to be good enough for several apps. Submitting a second one after you got the first one is very easy though.

  7. Brian Avatar
    Brian

    would be nice to have some kind of web service that takes care of all these crap. =)

    1. Pablo Fernández Avatar

      Well… how much would you pay? One of the carouselians (Carousel Apps employee) today suggested that maybe we should offer the service of doing it for other people. I’m considering it.

  8. Brian Avatar
    Brian

    i think you should definitely do it to be the first offering such service. Even if it’s only half automated, it would save lots of real pain. I don’t want to put a price tag on it, coz it wouldn’t be fair. But consider this though, after you generalize/standardize this work flow, i bet apple would approach you. =)

    1. Pablo Fernández Avatar

      Well, I’m open to do this for other people and at first, it’ll be 100% manual as we identify how to automate it (and how to act as an agency for third parties) and it would also be free, so, if anybody needs an ERN, get in touch: info@carouselapps.com.

      We would also consult with a lawyer to confirm some of my findings.

  9. Kevin Avatar

    Thank you for the great article. I ran through this in under an hour to get an approval back and accepted. One more thing off the check list.

  10. NIKHILESH WALDE Avatar
    NIKHILESH WALDE

    Thanks for an amazing article explaining almost every step.

    1. Pablo Fernández Avatar

      Almost? ALMOST? what did I miss? Just kidding.

      You are welcome. I’m glad to be of service.

  11. Dani B Avatar
    Dani B

    Thanks for your information :) It has been really clarifying

    Now you have to write your next post about filling the annual self-classification report (Supplement 8 to Part 742) for these apps ;)
    What a painful paperwork :( At least it seems BIS have automated a lot the process

    1. Pablo Fernández Avatar

      I’m not aware of this annual self-classification report. When is it needed?

      1. bbx Avatar
        bbx

        Thanks for all this info. In your last screen shot “Acknowledgement Details”, it says:

        “You are required to submit an annual self-classification report (Supplement 8 to Part 742) for these products pursuant to the requirements in Section 742.15(c) of the EAR.”

        so looks like there is another form we have to fill in every year?

  12. Dani B Avatar
    Dani B

    Look at your own screenshot: https://carouselapps.com/wp-content/uploads/2015/11/BIS-SNAP-R-Encryption-Registration-Accepted.png ;) ;)
    It seems is required once per year, send a .csv file with the “updates” of all your submissions… More fun!

    1. Pablo Fernández Avatar

      Ah… right. I forgot about that. I completed this task a couple of months ago and then I did my best to forget about it. I’m happy to do a follow up with the updates when I do it :)

      1. Lukas A. Avatar
        Lukas A.

        Could you please publish this self-classification? Some screenshots or info would be appreciated :)

  13. Ubiquitous Computing Avatar
    Ubiquitous Computing

    Nice work on all of this information Pablo, it really helps to that you’ve shared your knowledge about the entire process. I remember a while back on stackoverflow.com when you brought up the subject, and was curious if any of the responses were inline with what you’ve presented here. I really like the fact that you reach out to the community that way (you awarded me a bounty once, thanks!), although something tells me you aren’t the type to just take anyone’s word for this type of thing.

  14. Donovan Cotter Avatar
    Donovan Cotter

    Thanks for the article Pablo. Not sure if you know the answer to this but t I’m an independent developer and I’m just submitting the app under my own name. I was wondering if the SNAP-R Registration for company registration is the same for an individual?

    1. Pablo Fernández Avatar

      I don’t know, but I’d expect it’s the same process.

  15. Donovan Cotter Avatar
    Donovan Cotter

    Thanks for the response. I went through the steps and obtained the ERN and submitted it. Your blog saved me a lot of time. How long did it take for your status to go from Waiting for Export Compliance to Waiting For Review?

  16. Francis Kim Avatar

    Wouldn’t think this would apply to HTTP/SSL.

  17. Jeremiah Blanch Avatar

    Super useful article, thanks so much for writing this!

    How did you fit your international phone number into the format requested under “Submit Encryption Registration”? My Australian numbers do not fit. The numbers are something like +612 1234 1234 (landline – 11 digits including the country code of 61) or +614 123 123 123 (cell – 12 digits including the country code) neither of which fit into the format they ask for (123-123-1234 – 10 digits).

    I managed to do a submission by satisfying the format (but missing the last digit in the actual phone number). So if they try to call that number, they won’t get very far! My actual number was included in the supporting PDF.

  18. sirrorg Avatar
    sirrorg

    I am an independent developer too, and I submit my own app into Apple’s App Store under my name. If I understand correctly, I need to put my company name to register into SNAP-R. But I am not a company’s member, I am an independent developer. If I understand correctly, you already registered into SNAP-R. Could you tell, what you put into that field? (Your name, left it blank, or else) I would be very grateful for your help. (Sorry for my English, it’s not my native language)

    Regards,
    Alex

    1. Tom Avatar

      @sirrorg: I just put my personal name in.

  19. Tomas Balicek Avatar

    THANK YOU VERY MUCH !!!!

  20. Tom Avatar

    Thanks a ton for providing this step-by-step instructions. It helped me a lot!

  21. Tom Avatar

    @Jeremiah: I had the same problem with my German phone number. I put 999-999-9999 in (to indicate that it is not a valid number) and left my real phone number in the comment field.

  22. Will Avatar
    Will

    Thanks, super helpful!!

  23. Bart Avatar
    Bart

    At WWDC 2015, a new plist key was introduced: ITSAppUsesNonExemptEncryption

    The WWDC session implies that “nonexempt” == “nonstandard”

    “So we are going to add a new plist key in Xcode called [ITSAppUsesNonExemptEncryption].
    Enter False in here, and that will let us know what kind of encryption that you use.
    If your app does use nonstandard encryption, answer Yes.”

    http://asciiwwdc.com/2015/sessions/302

    I interpret that to mean that use of HTTPS or other “standard” crypto available in the iOS SDK is exempt.

  24. Christoffer Årstrand Avatar

    This was a really good guide, thanks José! Too bad I found it _after_ going through all the hoops. =)

    So, the February 1:st deadline for the “Annual Self-Classification Report” has come and gone, any chance you could guide us readers through that process as well? Personally I haven’t even been able to figure out if I need to submit anything or not since we are just “exporting” an App from the App Store…

  25. beme Avatar

    Thanks for this brilliant and easy to use instruction to get this crazy stuff right.
    One thing that bugs me (and I already filed a yet unanswered equation to ITC) is the following:
    I have uploaded the ERN and all looks fine so far. When I now submit my app for review I get a message on if my binary is related to the approved ERN. That’s also okay so far. But there is an ineditable text within the display that says: “Is your app being sold in the fetch app store”. This is stated with a NO.
    The problem I have is that
    a) I never answered this question with either YES or NO
    b) My app *is* sold on the french app store.
    So will my app now be removed from the french app store even though I am required to submit a ERN when I use standard IOS cryptography like https encrypted access to web services?
    Any aspects on this?

    1. Christoffer Årstrand Avatar

      @beme, I can’t say this for sure, but using crypto provided by iOS actually means that you _do not_ need to get import approval from the French government according to Apple. Here is a relevant quote:

      ——
      French authorities have agreed to limit the regulatory approval requirements for Apple’s App Store apps that use, access, implement, or incorporate:

      any encryption algorithm that is yet to be standardized by international standard bodies […] or not otherwise published; or standard […] encryption algorithm(s) instead of or in addition to accessing or using the encryption in Apple OS”
      ——
      https://itunespartner.apple.com/en/apps/faq/Managing%20Your%20Apps_Trade%20Compliance#93377577

      So given that you probably answered that you only use Apple provided crypto that might internally be represented by the flag “not sold in France”. iTunes Connect leaks internal things in the UI often enough that I wouldn’t be surprised if that is the case…

  26. Michel Avatar
    Michel

    Thanks so much. This is very helpful. I was able to re-submit our app with a proper ERN within a couple of hours, saving us days of painful stress.
    Really appreciated.

  27. Leonore Avatar
    Leonore

    THANK YOU! THIS IS AMAZING!

  28. Patrick Avatar

    Thanks for this article also from my side, really helped a lot.

  29. Volker Avatar
    Volker

    That was helpful, thank you!

  30. Ben @ Tishi Jewelry Avatar

    What a process, thank you so much for this write-up and best regards from Australia!

  31. Patrick Avatar
    Patrick

    Pablo, thanks a lot!!! This was REALLY helpful!!!

  32. Alexandre de Oliveira Avatar
    Alexandre de Oliveira

    For the record, there’s now a Key Code created by Apple attached to the document you submitted. You take that code and put it in the a variable in info.plist called ITSEncryptionExportComplianceCode and then moving forward that document will serve for all future builds. No need to re-submit the document all the time. This information shows up in the iTunes page right after you upload the document.

  33. […] Officer of Jaxx offered this thought: “We found an excellent guide to the application process here, which we followed more or less to the letter. The main thing is to be persistent…and exceedingly […]

  34. Fluidjax (@fluidjax) Avatar

    Thanks Pablo, I followed the procedure and everything worked perfectly. I completed the whole process in less than an hour. I didn’t mention a specific product name and so assume that I am authorised to export all similar products which match the supplied description using the same ERN number.
    By the speed of the responses, the process seems automated and more of a “self-certification” than a considered decision to grant or deny.

  35. Björn Terwege (@kantentanz_fff) Avatar

    Top article. Everything worked as described.

  36. kartikbajaj Avatar

    You were a lifesaver :)

  37. Colin Dabritz Avatar

    Thanks so much for this immensely helpful and detailed guide.

    We ended up using the SNAP-R website “Self management” to add additional users who are allowed to submit registrations across our company. It’s not obvious, but it’s the bold blue link in the lower left labeled “SNAP-R Self Management”. This way upper management can be the official accounts, but others can get the work done.

    Thanks again for the documentation.

  38. Steve Baxter Avatar
    Steve Baxter

    Thanks so much for this – a life saver. We’re just down the road from you, I’ll buy you a pint if you’re ever in the Narrowboat!

  39. ighulammustafa Avatar

    Just want to confirm. The export compliance document (PDF) is a custom made document that contains the screenshot (showing ERN)?

  40. Florian Avatar
    Florian

    WOW! Awesome work! Thank you so much! Highly appreciated!

  41. Matthias Raisch Avatar

    it also was to me an live saver!!! thank you for give all of use this powerfull help!!!!

  42. kwizzn Avatar

    Lots of appreciation from our side, Pablo. Thank you so very much for this guide. We wouldn’t have made it if it weren’t for you.

  43. Fredrik Avatar
    Fredrik

    Thank you so so much for this – I did this in less than an hour while doing other stuff thanks to this.

  44. Lars Avatar
    Lars

    I have successfully logged on to snap-r but the “Encryption Registrations” option is not available for me. Anyone else have this issue or know why it is no longer available?

    1. Giorgio Avatar
      Giorgio

      I have the same problem….

    2. Giorgio Avatar
      Giorgio

      I have the same problem, did you find a way to proceed?

      1. Lars Avatar
        Lars

        No sorry.. I am still trying to figure it out. Have sent an email to snap-r ppl, waiting for response. Will let you know if I figure it out. Please do the same here if you figure it out or have any additional information

  45. Giorgio Avatar
    Giorgio

    There must be some change in the update of September 20, at http://www.bis.doc.gov/InformationSecurity2016-updates it may be read:

    – Encryption Registrations no longer required – some of the information from the registration now goes into the Supp. No. 8 to Part 742 report.

    1. Eugenio De Hoyos Avatar
      Eugenio De Hoyos

      Agree. I went through the same. The article should be updated to mention the September 20 update at the top.

  46. Eugenio De Hoyos Avatar
    Eugenio De Hoyos

    Thanks for the excellent article! I was following it, but I ran into trouble because the “Encryption Registration” option is no longer available in SNAP-R. Following your advise, :) I called them, and they told me that encryption registration is no longer needed as of September 20 as @Giorgio mentions above.

    I also left some comments in http://stackoverflow.com/questions/2128927/using-ssl-in-an-iphone-app-export-compliance for others who may also be confused about this.

    1. Chaz Avatar
      Chaz

      Hey Eugenio, thanks for the update.

      Although the encryption registration is no longer required, do you still need to register on SNAP-R? Do you still need to enter a ERN number when submitting your app for review?

    2. Chaz Avatar
      Chaz

      Hey Eugenio, how did you manage to get over the message from apple requesting the ERN document? I’ve been on hold with BIS all evening! Thanks!

  47. Jimmy H Avatar
    Jimmy H

    As of September 20th, 2016, ERN registration is no longer required.

    https://www.bis.doc.gov/index.php/informationsecurity2016-updates

    You can also see my answer here which goes into more detail: http://stackoverflow.com/a/40391664/776167

    You can’t even submit for encryption registration on SNAP-R anymore.

    1. Chaz Avatar
      Chaz

      Thanks a lot, Jimmy! I managed to get through to someone at BIS. They suggested I upload a signed note on letterhead as Apple still require the document to be uploaded. It seems to have worked fine. Thanks again for your help!

      1. Martin P Avatar
        Martin P

        Could you share text which was on the letterhead uploaded to Apple?

      2. bradleyjh Avatar

        What exactly do you mean by that? I’m about ready to submit one of my first apps which uses HTTPS to fetch information from my self developed back-end, found this guide and didn’t find this comment until finding out the SNAP-R doesn’t have the encryption option anymore. This definitely sounds much better but it seems Apple haven’t updated the process to remove the need for the registration, so what exactly do I do to make sure my app doesn’t break any rules or laws, can I simply say it doesn’t include encryption and upload it that way? Or do I need to put together the document you’re talking about making and upload it with that?

        Appreciate any help :)

      3. Alex Avatar
        Alex

        Please share example text

  48. thenortonsetup Avatar

    When someone outside the US uploads Android app to Google store is he subject to US export laws?

    1. jmvl2010 Avatar
      jmvl2010

      yes he is. App Store and google play store are located in USA.

  49. jacka Avatar

    Recommend quick application for the iOS Enterprise Certificate tool to quickly get .p12 and ..mobileprovision iOS certificate files

    You can apply for an iOS certificate directly on a Windows system

    Appuploader tool

    Applicationloader.net

  50. Neil Avatar
    Neil

    In case of “ordinary” HTTPS usage Apple suggest to answer Q1 and Q2 with YES. This pops up a warning, that one is forced to provide an “annual self-classification report” to the U.S. government. The provided link ends up in 404 at Bureau of Industry and Security, but searching there for the report provides a blurb, how to proceed. There is also a sample XLS. It seems to boil down to a couple of lines in an XLS to be sent to a government mail (not tested yet).

  51. Michael Maxime Avatar
    Michael Maxime

    This article is out of date and needs to be updated. IS Ends Encryption Registration Requirement and Announces Other Amendments to Encryption Rules (IRB No. 559) Sept 21, 2016

    At this point in time, you cannot even create an Encryption Registration as it says in the article.

    1. J. Pablo Fernández Avatar

      I’m no longer publishing any applications in Apple’s App Store, so, I’m not going to be updating this article. I’m not surprised is out of date as the process was quite ridiculous to begin with. I hope it’s better now.

  52. Mir Ömer Avatar
    Mir Ömer

    I have three questions.If you answer me i wil happy.
    1)I have not a company.What should i write in a blank.
    2)Is this free
    3)If i don’t this.What can apple does?
    Thanks

    1. J. Pablo Fernández Avatar

      As far as I know, the rules around this changed quite a bit, so, my blog post might be out of date. 1) I don’t know, maybe you should just write your name. 2) If I recall correctly, yes. 3) Nothing.

Leave a Reply

You may also like:

If you want to work with me or hire me? Contact me

You can follow me or connect with me:

Or get new content delivered directly to your inbox.

Join 5,043 other subscribers

I wrote a book:

Stack of copies of How to Hire and Manage Remote Teams

How to Hire and Manage Remote Teams, where I distill all the techniques I've been using to build and manage distributed teams for the past 10 years.

I write about:

announcement blogging book book review book reviews books building Sano Business C# Clojure ClojureScript Common Lisp database Debian Esperanto Git ham radio history idea Java Kubuntu Lisp management Non-Fiction OpenID programming Python Radio Society of Great Britain Rails rant re-frame release Ruby Ruby on Rails Sano science science fiction security self-help Star Trek technology Ubuntu web Windows WordPress

I've been writing for a while:

Mastodon

%d bloggers like this: