Amazon.co.uk Widgets
Linux password file by Christiaan Colen on flickr (CC BY-SA 2.0)

Encryption and export administration regulations compliance (EAR)

When you submit an app for publication in the App Store you are uploading your app to the United States. Downloads of your app outside of the United States and Canada are considered to be exports from the United States so you must ensure you are in compliance with United States Department of Commerce encryption export administration regulations if you use encryption. 

Complying with Encryption Export Regulations (Apple Developer website)

Summary

  • Apps downloaded from the App Store outside the United States and Canada are considered by the United States government to be an export from the United States.
  • If you use encryption, you are subject to United States export laws.
  • Many common encryption patterns in mobile apps have an exemption from getting an export certificate but you need to check carefully.
  • Even if you have an exemption you still must to send an annual self classification report to the United States government explaining the details of your exemption, app by app.

TL:DR: Apps are exports from the United States and must have a certificate or an exemption for encyrption

Why do I need to care?

Uploads to App Store Connect end up on an Apple platform hosted somewhere in the United States. This means that when you submit an app with the intention of distributing it via the App Store (even to testers through TestFlight) outside of the U.S. or Canada, the download of the app beyond the United States and Canada is considered both to be an export from and to be subject to the United States department of commerce encryption export administration regulations. It does not matter where your legal app publishing entity is based, it is the download of the App from the United States to a foreign country that is important to the export laws.

Do you use encryption?

If you are using Flutterflow, which makes extensive use of Firebase and web services then you are almost certain to be using encryption. Use of encryption includes, but is not limited to:

  • Making calls over secure channels (e.g. HTTPS, SSL, and so on).
  • Using standard encryption algorithms. (e.g. Authorisation and Authentication in Firebase)
  • Using crypto functionality from other sources such as iOS or macOS.
  • Using proprietary or non-standard encryption algorithms. The U.S. Government defines "non-standard cryptography" as any implementation of "cryptography" involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body ( e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and GSMA) and have not otherwise been published.

The first two uses above are in pretty much every Flutterflow app these days.

Exemptions from compliance obligations

There are  several exemptions available in U.S. export regulations that release apps from compliance obligations if the app is using low level encryption or using encryption for specific purposes. It is your responsibility to read the Export Administration Regulation to determine if your app’s use of encryption is exempted from the compliance requirements. All liabilities associated with misinterpretation of the export regulations or claiming exemption inaccurately are your responsibility. To learn more about encryption export controls, visit the U.S. Department of Commerce Bureau of Industry and Security (BIS) website and at the very least read the FAQ.

Eventually, once you have read the FAQ you may determine that your app qualifies for an exemption, perhaps because you are using encryption for specific well known purposes as outlined above. If you qualify for an exemption, for example for making a call to HTTPS, you are still required to submit a year-end self classification report.

Exemption still requires you to submit an annual self-classification report for items exported under License Exception ENC - 740.17(b)(1), UNLESS a Commodity Classification (CCATS) has been submitted for the item. Note also that Licence Exception ENC has two authorisations types, ENC and MMKT which are different.

When you submit a new version of your app, you will be required to answer questions in App Store Connect about your app's use of encryption. It is your responsibility to comply with export regulations, and you should revisit these questions if your encryption or exemption status changes. 

App Store encryption questions

Does your app use encryption?

  • Select Yes even if your app only uses the standard encryption within Apple’s operating system for example making calls over secure channels using HTTPS, SSL.
  • Export laws require that products containing encryption must be properly authorized for export.
  • Failure to comply could result in severe penalties. 

Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations? 

  • Select No unless you are sure that your app meets the criteria of the exemption listed below. You are responsible for the proper classification of your product.
  • Incorrectly classifying your app may lead to you being in violation of U.S. export laws and could make you subject to penalties, including your app being removed from the App Store.
  • You can select Yes for this question if the encryption of your app is: (a) Specially designed for medical end-use (b) Limited to intellectual property and copyright protection (c) Limited to authentication, digital signature, or the decryption of data or files (d) Specially designed and limited for banking use or “money transactions”; or (e) Limited to “fixed” data compression or coding techniques You can also select Yes if your app meets the descriptions provided in Note 4 for Category 5, Part 2 of the U.S. Export Administration Regulations.

Does your app implement any encryption algorithms that are proprietary or not accepted as standards by international standard bodies (IEEE, IETF, ITU, etc.)? 

  • Select No if you didnt implement any proprietary encryption 

Does your app implement any standard encryption algorithms instead of, or in addition to, using or accessing the encryption within Apple’s operating system?

  • Select No if you use the standard encryption provided within the Apple operating system. 

Example Annual Self Classification Report (CSV)

This is taken from the US example. Its the mobile app one which should fit most Flutterflow apps.

PRODUCT NAME,MODEL NUMBER,MANUFACTURER,ECCN,AUTHORIZATION TYPE,ITEM TYPE,SUBMITTER NAME,TELEPHONE NUMBER,E-MAIL ADDRESS,MAILING ADDRESS,NON-U.S. COMPONENTS,NON-U.S. MANUFACTURING LOCATIONS
XtraGood Client App,1xx,PDQ123 Software Services LLC,5D992,MMKT,mobility and mobile applications n.e.s.,Jane Smith,(202) 555-0000,This email address is being protected from spambots. You need JavaScript enabled to view it.,555 Elm St. Washington DC 22032,NO,Shenzhen China Amsterdam Nethelands
The United States only accepts this report in CSV and the easiest way to deliver it is by email.
The table in this sample annual self-classification report  provides an example of the various fields required within the Annual Self-Classification Report as required per Supp. 8 to Part 742, section (b) and demonstrates how various instructions & tips published in Supplement 8 to part 742 works out in practice.
  • First line of the annual self-classification report must consist of the following 12 entries: PRODUCT NAME, MODEL NUMBER, MANUFACTURER, ECCN, AUTHORIZATION TYPE, ITEM TYPE, SUBMITTER NAME, TELEPHONE NUMBER, E-MAIL ADDRESS, MAILING ADDRESS, NON-U.S. COMPONENTS, NON-U.S. MANUFACTURING LOCATIONS.
  • No entry may be left blank.
  • PRODUCT NAME and ECCN must be completed. Mobile apps can use 5D992 for ECCN
  • For MODEL NUMBER and MANUFACTURER, if necessary, enter "NONE" or "N/A".
  • For AUTHORIZATION TYPE, enter ENC or MMKT. Apps that use HTTPS can use MMKT for Authorization type.
  • For ITEM TYPE, pick from the list of item types provided in the Supp. 8 to Part 742 (a)(6). Mobile apps fit 'mobility and mobile applications n.e.s.'
  • Column headers SUBMITTER NAME through NON-U.S. MANUFACTURING LOCATIONS relate to the company as a whole, and thus should be entered the same for each product (i.e., only one point of contact, one ‘YES’ or ‘NO’ answer to whether any of the reported products incorporate non-U.S. sourced encryption components, and one list of non-U.S. manufacturing locations, is required for the report). Duplicate this information into each row of the spreadsheet
  • The only permitted use of a comma is the necessary separator between the 12 entries for each line item. The only commas allowed are the ones inserted automatically during spreadsheet conversion.
  • An encryption self-classification report data table created and stored in spreadsheet format can be converted and saved into a comma delimited file (.CSV) format directly from the spreadsheet program
  • I have chosen 5D992 for ECCN, MMKT for Authorization type. This is based on reading the explanatory notes and also see this SO answer about ECCN for iOS. NB kept coming across 5A992 which is hardware.
  • Related Controls: After classification or self- classification in accordance with § 740.17(b) of the EAR, mass market encryption software that meets eligibility requirements is released from “EI” and “NS” controls. This software is designated as 5D992.c.