Encryption Export Regulations Julia Potapenko Why should mobile developers care?

Security Software Engineer @julepka We help companies to protect their sensitive and valuable data.

… disclaimer: I am not a lawyer, and this is not legal advice …

App Distribution

App Distribution App App Store or Google Play Upload

App Distribution App App Store or Google Play Upload 🇺🇸 US Servers

App Distribution App App Store or Google Play Upload 🇺🇸 US Servers 🌍 Distribute

App Distribution App App Store or Google Play Upload 🇺🇸 US Servers 🌍 Distribute = Export

App Distribution App App Store or Google Play Upload 🇺🇸 US Servers 🌍 Distribute = Export US Export Regulations.

App Distribution App App Store or Google Play Upload 🇺🇸 US Servers 🌍 Distribute = Export US Encryption Export Regulations.

App Distribution App App Store or Google Play Upload 🇺🇸 US Servers 🌍 Distribute = Export US Encryption Export Regulations. Import

Do I have encryption in my app?

Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms.

Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms. Less headache

Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms. More headache Less headache

Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms. More headache Less headache File and send a required report

Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms. More headache Less headache File and send a required report You’ll need legal help

Annual self-classification report How? – Send the report as an attachment to BIS and ENC emails What? – A specific CSV-formatted file Where? – See the official website for correct emails When? – No later than Feb 1 of the following year https://www.bis.doc.gov/index.php/policy-guidance/encryption/4-reports-and-reviews/a-annual-self-classification

Report Example PRODUCT NAME: Awesome App! MODEL NUMBER: 1.10.2 MANUFACTURER: SELF / Tom Smith Inc. ECCN: 5D992.c AUTHORIZATION TYPE: MMKT ITEM TYPE: Mobility and mobile applications n.e.s. SUBMITTER NAME: Tom Smith TELEPHONE NUMBER: (222) 123-4567 E-MAIL ADDRESS: tom.smith@email.com MAILING ADDRESS: 123 Smith St. Washington DC 22032 NON-U.S. COMPONENTS: N/A NON-U.S. MANUFACTURING LOCATIONS: N/A https://www.bis.doc.gov/index.php/component/docman/?task=doc_download&gid=1675

Report Example PRODUCT NAME: Awesome App! MODEL NUMBER: 1.10.2 MANUFACTURER: SELF / Tom Smith Inc. ECCN: 5D992.c AUTHORIZATION TYPE: MMKT ITEM TYPE: Mobility and mobile applications n.e.s. SUBMITTER NAME: Tom Smith TELEPHONE NUMBER: (222) 123-4567 E-MAIL ADDRESS: tom.smith@email.com MAILING ADDRESS: 123 Smith St. Washington DC 22032 NON-U.S. COMPONENTS: N/A NON-U.S. MANUFACTURING LOCATIONS: N/A https://www.bis.doc.gov/index.php/component/docman/?task=doc_download&gid=1675 Commonly used values Update with your info

Apple Guide Informs you when you submit a build. Explains export regulations in a simple language in multiple pages. Requires extra review if you have custom encryption.

Apple Guide Google Guide Informs you when you submit a build. Explains export regulations in a simple language in multiple pages. Requires extra review if you have custom encryption. Single page of “it depends” information.

Useful links BIS official guide: https://www.bis.doc.gov/index.php/policy-guidance/ encryption/4-reports-and-reviews/a-annual-self-classification BIS official example: https://www.bis.doc.gov/index.php/component/docman/? task=doc_download&gid=1675 ECFP official instructions: https://www.ecfr.gov/cgi-bin/retrieveECFR? gp=1&SID=4150cfbf028e9a85574385383a581f47&h=L&mc=true&n=pt15.2.742&r=PART &ty=HTML#ap15.2.742_119.6

Useful links Our experience: https://docs.cossacklabs.com/themis/regulations/us-crypto- regulations/ Apple guide: https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Google guide: https://support.google.com/googleplay/android-developer/ answer/113770?hl=en Wikipedia: https://en.wikipedia.org/wiki/ Export_of_cryptography_from_the_United_States

Thank you! @julepka Photo by Lukas Blazek https://unsplash.com/@goumbik