我正在考虑创建一个与 REST Web 服务通信的 iPhone 应用程序。由于某些用户敏感数据(姓名、地址、年龄等)将被传输,因此我正在考虑使用 SSL 来保护连接。
然而,在我之前提交 App Store 的过程中,我发现被问到的第一个问题是“您的应用程序使用加密吗?”并且根据此问题和其他后续问题的答案,可能需要美国出口合规性。
我的公司不在美国,也没有在美国设立办事处。
是否还有其他人出于此类目的使用 SSL 提交了应用程序?如果是这样,您是否需要采取任何措施才能获得苹果或美国政府的使用许可?
I'm looking at creating an iPhone app that will communicate with a REST Web service. Because some user-sensitive data (name, address, age, etc) will be transmitted, I'm looking at securing the connections with SSL.
However, on my previous escapades into App Store submission, I saw that the first question I get asked is "Does your application use encryption?" and depending on the answer to this and other follow-up questions, may require US export compliance.
My company is not based in the US, nor do we have a US office.
Has anyone else submitted an app using SSL for this sort of purpose? If so, did you need to do anything to get permission to use it, either from Apple or from the US government?
发布评论
评论(7)
截至 2016 年 9 月 20 日,所有这些答案都已过时。我刚刚与 SNAP-R 人员(政府)通电话,他们说新立法将于 9 月 20 日落地。新法规取消了注册应用程序的要求,因为它使用加密。
我向他们描述了我的应用程序(游戏),他们说这是一个“EAR-99”,这意味着我不必注册。苹果很可能即将更新他们的网站。但与此同时,如果您因为使用 SSL/HTTPS 而尝试执行此过程,请立即停止。你甚至不会成功填写表格,因为它们已经发生了很大的变化。
All these answers are obsolete as of September 20th, 2016. I just got off the phone with the SNAP-R folks (government), and they said that new legislation landed on September 20th. The new regulation removes the requirement to register your app simply because it uses encryption.
I described my app (a game) to them, and they said it's an "EAR-99", which means that I don't have to register. It's likely that Apple is about to update their website. But in the meantime, if you're trying to go through this process because you use SSL/HTTPS, just stop now. You won't even be successful in filling out the forms, because they have changed significantly.
我发现最近(2015 年 12 月)经历过该流程的人写的这篇文章非常有帮助。总体共识似乎是,即使您只是使用利用 SSL 的 REST 调用,您也确实需要完成此过程。本文将帮助您快速完成该过程。
https://carouselapps.com/2015 /12/15/legally-submit-app-apples-app-store-uses-encryption-obtain-ern/
I found this article from someone who went through the process recently (Dec 2015) extremely helpful. The overall consensus seems to be that you really do need to go through this process even if you are just using a REST call that utilizes SSL. This article will help you run through the process quickly.
https://carouselapps.com/2015/12/15/legally-submit-app-apples-app-store-uses-encryption-obtain-ern/
我今天早些时候遇到了这个问题,我想我应该回来报告我的经历。
查看:http://tigelane.blogspot.com/ 2011/01/apple-itunes-export-restrictions-on.html 一个对我来说效果很好的程序(一定要阅读整个内容,包括评论——自原始帖子以来发生了一些变化,主要是为了更好,更新的信息在评论中)。
现在这个过程已经相当简化了(除了 Safari 和 Chrome 无法识别自己网站的 SSL 证书。有点讽刺。:-);提交信息后大约 10-15 分钟我就得到了批准。
我猜这对他们来说已经成为一种惯例(至少如果你只使用 SSL 而不是某种奇异的加密货币)。
I ran across this question earlier today and thought I'd come back to report my experience.
Check out: http://tigelane.blogspot.com/2011/01/apple-itunes-export-restrictions-on.html for a procedure that worked well for me (be sure to read the whole thing including the comments -- there have been some changes since the original post, mostly for the better, and the updated info is in the comments).
The process is pretty streamlined now (except for Safari and Chrome not recognizing their own site's SSL certificate. A little ironic there. :-); I got approval about 10-15 minutes after submitting the info.
I'd guess that this has become a routine thing for them (at least if you're only using SSL rather than some kind of exotic crypto).
由于该应用程序正在设置并使用安全 SSL 连接,因此它被视为加密产品。美国的出口管制取决于您是否使用加密,而不是您在哪里找到加密。无论您使用内置函数而不是自己编写、使用商业库或使用专用处理器,它仍然是一个加密项。
如果您想讨论您的应用程序的详细信息,请访问 BIS 网站 www.bis.doc.gov/encryption 或致电帮助台 202-482-0707。如果您发现需要加密分类,那么 SNAPR 的链接也在那里。
Because the app is setting up and using secure SSL connections it is considered an encryption product. The US export controls depend on whether you use encryption, not where you find it. It doesn't matter that you are using a built-in function instead of writing your own, using a commercial library, or using a specialized processor--it is still an encryption item.
Check out the BIS web site at www.bis.doc.gov/encryption or call the help desk at 202-482-0707 if you want to discuss the particulars of your app. If you find out you need an encryption classification then the link for the SNAPR is there too.
自 2016 年 9 月 20 日起更新
不再需要 ERN,因此许多应用似乎不再需要向美国政府注册。 (尽管您可能仍需要提交半年一次的自我分类报告补充第 8 号至第 742 部分报告。) http://www.bis.doc.gov/InformationSecurity2016-updates
(感谢 @EugenioDeHoyos 和 @user3562927 指出了这一点!)
此第三方网站可以帮助您准备报告:自分类报告生成器(另一个用户添加了一个链接,我有我自己没有尝试过。)
在法国销售仍然需要法国政府注册。
iTunes Connect 常见问题解答已更新为涵盖了这一变化,是我发现的最易读的参考。
旧答案
自 2010 年夏季起,流程已发生变化,您(可能)现在需要 ERN,而不是约翰撰写答案时所需的 CCATS。
请参阅Apple iTunes 对应用的导出限制。 iTunes connect 常见问题解答还包含许多有关出口合规性的有用信息。
现在,在法国应用程序商店上分发加密应用程序也存在一些限制 - 请参阅 itunes connect 常见问题解答和 开发论坛上的法国出口合规主题。
Update as of 20th September 2016
ERN's are no longer required, so it seems many apps will no longer need to register with the US government. (Though you may still need to file a bi-annual Self-Classification Report Supp. No. 8 to Part 742 report.) http://www.bis.doc.gov/InformationSecurity2016-updates
(Thanks to @EugenioDeHoyos and @user3562927 for pointing this out!)
This third-party website may assist you in preparing your report: Self-Classification Report Generator (Another user added a link to it, I have not tried it myself.)
French Government registration is still required to sell in France.
The iTunes Connect FAQs have been updated to cover this change and are the most readable reference I've found.
Old Answer
The process has changed, as of Summer 2010, and you (probably) need an ERN now, not a CCATS as was necessary at the time John wrote his answer.
See Apple iTunes export restrictions on apps. The iTunes connect faq also contains a lot of useful information on export compliance.
There are also now restrictions that apply to distributing apps with encryption on the French app store - see the itunes connect FAQ and the French Export Compliance thread on the devforums.
现在是 2017 年 11 月……
这确实是合法的东西,所以这是我发现有用的内容以及我如何解释事物的指针。不要将其视为建议(事实并非如此)。
其他答案中提到的苹果常见问题解答是一个很好的起点: https://itunespartner.apple.com/en/apps/faq/Managing%20Your%20Apps_Export%20Compliance
这会导致执行以下操作:
在 iTunes Connect 中,转到您的应用程序。选择顶部的“功能”选项卡,然后选择侧面的“加密”。单击主页中的“添加 iOS 导出合规性文档”。第一个问题是:“导出合规性:您的应用程序是否设计为使用加密技术...”选择“是”。以下问题说(我复制并粘贴):
(c) 是 SSL 样式参考(根据您的问题),因此对此问题选择“是”。 [请注意,此屏幕上的指南底部有一个指向上述常见问题解答链接的链接]
选择“是”时,其中一个弹出指南框会显示(我引用):
回到常见问题解答中,关键引用是:
我认为最后一点回答了你问题的第二点......即使你不在美国,即使你不打算在你自己的国家之外分发......你仍然必须遵守......
所以,截至我今天(2017 年 11 月)读到的内容是,如果在 iOS 应用程序中使用 SSL (HTTPS),即使在美国境外,也需要在 iTunes Connect 中勾选复选框...(该过程在上述“功能选项卡”下开始)。除此之外,您还需要制作年度自我分类报告。
Apple FAQ 中与此相关的链接目前已损坏(正如我撰写本文时),但此链接很有用:
https://www.bis.doc.gov/index.php/policy-guidance/product-guidance/high-performance-computers/223-new-encryption /1238-how-to-file-an-annual-self-classification-report
此页面包含将报告发送到的电子邮件地址(您必须将其发送到 2 个地方)、必须发送的时间以及需要发送什么格式和信息(精心创建的非常规定的 .csv 文件)
我在 bis.doc.gov 搜索引擎中未能找到此内容,但在通用搜索引擎搜索“年终自我分类报告”时找到了它。因此,如果这个特定的链接将来消失,此搜索可能有助于找到任何替代品:)
至于如何使用 SSL 为 iOS 应用程序制作此 .csv 文件的详细信息,我还不确定 - 我希望成功并且会成功如果合适的话,请编辑这篇文章并提供详细信息。
不过,在这个链接的文档中:
https://www .bis.doc.gov/index.php/documents/new-encryption/1651-740-17-enc-table/file
(您可能需要放大才能阅读)
我认为相关行是第三行 (b)(1),因为提交要求匹配。它指的是必须
该文档还有一个 ECCN 列,我开始认为相关的 ECCN 编号是 5A002 点。
下一个文档包含有关选择正确 ECCN 代码的更多详细信息:
https://www. bis.doc.gov/index.php/documents/new-encryption/1652-cat-5-part-2-quick-reference-guide/file
阅读本文,我目前最好的猜测是,如果使用 SSL作为应用程序的一小部分,这与代码 5A002.a.4
更新:
因此,在 bis.doc.gov 指南的底部,创建 .csv 文件的描述如下:
使用第 742 部分的补充第 8 部分 - 加密项目的自分类报告作为进一步指导,我得到了一个如下所示的 .csv 文件:
请注意,这应该是一个格式良好的 .csv 文件,其中这不完全是。我建议在电子表格中创建一些内容并另存为 .csv
另请注意,这不是建议的结果 - 这是我作为一个不合格的个人没有得到任何建议的最佳解释。 bis.doc.gov 指南底部的示例 .csv 进一步帮助了我,似乎表明 ECCN 可能只是 5A002,而没有更多细节。项目类型必须从补充编号 8 的列表中选择 - 其他内容可能更适合您的应用程序的性质。我不太确定型号,但该示例看起来像是使用版本号类型描述。也许应用程序Apple ID在这里会更好。鉴于它是可选的,可能并不重要...
更新(2019 年 1 月):终于提交了 2018 年的意见并进行了:
更改是将“N/A”作为型号,“NO”作为非美国组件。 “否”,因为我的应用程序没有内置组件(美国或非美国) - 加密代码只是 iOS 加密库。
Now in November 2017...
This is legal stuff really, so this is pointers to what I've found useful and how I've interpreted things. Don't take it as advice (it's not).
The Apple FAQ as mentioned in other answers here is an excellent starting place: https://itunespartner.apple.com/en/apps/faq/Managing%20Your%20Apps_Export%20Compliance
This leads to doing the following:
In iTunes Connect, go to your App. Pick the 'features' tab at the top and select 'Encryption' on the side. Click 'Add Export Compliance Documentation for iOS' in the main page. First question says: 'Export Compliance: Is your app designed to use cryptography...' Choose 'Yes'. The following questions says (and I copy and paste):
(c) is the SSL style reference (as per your question), so select Yes to this question. [Note the bottom of the guidance on this screen has a link to the above FAQ link]
In selecting 'Yes' one of the popup-guidance box says (and I quote):
And back in the FAQ, a key quote is:
The last bit I think answers the 2nd bit of your question... You still have to comply even if you're not in the US and even if you don't intend to distribute outside your own country...
So, as of what I read today (in November 2017), if using SSL (HTTPS) in an iOS App, even if outside the US, boxes need to be ticked within iTunes Connect... (The process started under the 'features tab' described above). Beyond this, you then need to make an annual self classification report.
The link in the Apple FAQ relating to this is currently broken (as I write this), but this link is useful:
https://www.bis.doc.gov/index.php/policy-guidance/product-guidance/high-performance-computers/223-new-encryption/1238-how-to-file-an-annual-self-classification-report
This page includes the email addresses to send your report to (you have to send it to 2 places), when it must be sent and what format and information needs to be sent (a carefully created very prescribed .csv file)
I failed to find this with the bis.doc.gov search engine, but found it using a general search engine searching for 'year-end Self Classification Report'. So if this particular link dies in the future, this search might help find any replacement :)
As to details of how to craft this .csv file for an iOS App using SSL I'm not sure yet - I hope to have success and will edit this post with details if it seems appropriate.
Towards this though, in this linked doc:
https://www.bis.doc.gov/index.php/documents/new-encryption/1651-740-17-enc-table/file
(which you might need to zoom in to read)
I figure the relevant line is the 3rd one (b)(1) as the submission requirements match. It refers to having to
This document also has an ECCN column, and I'm getting to thinking the relevant ECCN number is 5A002 dot something
This next document has more details about picking the correct ECCN code:
https://www.bis.doc.gov/index.php/documents/new-encryption/1652-cat-5-part-2-quick-reference-guide/file
Reading this my current best guess is that if SSL is being used as a small part of an App this relates to code 5A002.a.4
UPDATE:
So at the bottom of bis.doc.gov guidance the description for creating the .csv file says:
Using Supplement No. 8 to Part 742—Self-Classification Report for Encryption Items for further guidance, I got to a .csv file like this:
Note that this should be well a well formed .csv file which this isn't quite. I suggest creating something in a spreadsheet and saving as a .csv
Also note that this is not an advised result - it's my best interpretation as an unqualified individual having had no advice. The example .csv at the bottom of the bis.doc.gov guidance helped me further and seemed to suggest that the ECCN could just be 5A002 without further detail. The ITEM TYPE has to be picked from the list in Supplement number 8 - something else might fit the nature of your App better. I wasn't so sure on MODEL NUMBER, but the example looked like it was using version number type descriptions. Maybe App Apple ID would be better here. Given it's optional, it might not matter...
UPDATE (Jan 2019): Finally made my submission for 2018 and went for:
The changes were to put 'N/A' as the Model Number and 'NO' for NON-U.S. COMPONENTS. 'NO' because there are no bought-in components to my App (US or NON-US) - the encryption code is just the iOS encryption library.
事实上,我回到了 Apple,结果发现任何使用 SSL 的应用程序都需要批准(不幸的是)。显然存在一些例外情况,例如应用程序仅将 SSL 用于单笔支付交易。
有更多信息 通过 8 个简单步骤对 iPhone 应用程序进行大众市场加密 CCATS 商品分类 和
建立 HTTPS (TLS) 连接的应用的 iPhone 加密导出合规性。
I actually went back to Apple and it turns out that any application using SSL does need approval (unfortunately). There are apparently some exceptions, such as if the application uses SSL only for a single payment transaction.
There is more information in Mass Market Encryption CCATS Commodity Classification for iPhone Applications in 8 Easy Steps and
iPhone Encryption Export Compliance for Apps making HTTPS (TLS) Connections.