Search code examples
iosencryptionapp-storecommoncrypto

Does the usage of CCCryptor warrant French import declaration certificate?

Would like to get some help from people who implemented encryption in their apps and already passed it to app store.

Our app uses https/SSL and AES256 encryption provided by CCCryptor along with keychain.

According to this message regarding encryption:

Apps that meet the following criteria are required to comply with French Encryption Laws/Regulations if you intend to distribute your app in France. This requirement applies to apps that use, access, implement, or incorporate: (a) any encryption algorithm that is yet to be standardized by international standard bodies such as IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, etc. or not otherwise published; or (b) standard (e.g., AES, DES, 3DES, RSA) encryption algorithm(s) instead of or in addition to accessing or using the encryption in iOS and/or Mac OS X Apple will require you to upload a copy of your approved French declaration when you submit your app to the App Store. Relevant French encryption regulations can be found at: http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITEXT000005789847&dateTexte=#LEGIARTI000006421577 http://www.ssi.gouv.fr/archive/fr/reglementation/regl_crypto.html http://www.ssi.gouv.fr/site_article195.html http://www.ssi.gouv.fr/site_article197.html

I'm having doubts on the line:

standard (e.g., AES, DES, 3DES, RSA) encryption algorithm(s) instead of or in addition to accessing or using the encryption in iOS

From what I researched, CCCryptor is an open source class made by apple so surely it should already be the encryption in iOS but according to this Related stackoverflow post who also uses CCCryptor, someone answered being required to apply for french import declaration.

So to our lads who already passed this problem, do we need to apply for the french import declaration?

Solution

  • Your question is answered in the iTunes FAQ. Specifically see:

    https://itunespartner.apple.com/en/apps/faq/Managing%20Your%20Apps_Trade%20Compliance

    See the "What do I need to know to answer each export compliance questions accurately?" question.

    Further down are a series of scenarios. The 1st seems to apply to your question:

    Sample Scenarios

    Scenario 1: An app uses or accesses only encryption algorithms provided in iOS or Mac OS for its security features

    -- Only US Encryption Registration (ERN) will be required (even if the app is distributed in France)

    But ultimately you need to make your own decision based on your app and the rules. I am not a lawyer. I am simply pointing out Apple's FAQ on the matter.