I am using HTTP package from Dart in my Flutter-based mobile app. The HTTP package is used for https communication between server and client.
While I was preparing the submission of new version of the app in App Store, it seems there is a requirement to submit documentation if the app is using standard encryption algorithms but with non Apple API's e.g. URLSession.
So my question is, anyone knows if the HTTP package of Dart uses URLSession internally or does it have its own implementation of https along with all the encryption? and do I need to provide an Export Compliance doc for using that package?
Thanks!
Looking at the http package source code, it seems this package relies only on the Dart SDK.
There is a CUPHTTPClientDelegate.m sub-package in it that's marked as experimental, where they say:
Using the Foundation URL Loading System, rather than the socket-based dart:io HttpClient implemententation, has several advantages...
Therefore, I would think it's safe to assume that the package does not currently use UrlSession.
dart:io.HttpClient uses this SecurityContext code to do TLS. Parts of it are implemented in the native code of the Dart SDK.
It seems that dart-lang/sdk/runtime/bin/security_context.cc is where crypto is implemented, and that uses openssl includes:
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/pkcs12.h>
#include <openssl/ssl.h>
#include <openssl/x509.h>
So, that's what actually implements all crypto in the Dart SDK, it seems. I think Apple will be alright with that given there are lots and lots of Flutter Apps in the Apple Store and most of them are definitely using Dart's TLS.
do I need to provide an Export Compliance doc for using that package?
I am no lawyer so I cannot give legal advice, but my understanding is that for "mass market cryptography" (which OpenSSL may be classified as) you do not need to worry about Export Compliance. Maybe have a look at Mass Market for more accurate information.