iTunes Connect encryption export compliance for games

Answering ERN authorization and other encryption questions posed by Apple for developers when submitting a new app

We’ve been asked a few times what games need to do in order to be approved for submission if they use encryption in their game. SOOMLA’s ios-store uses basic encryption algorithms to protect your on-device data so no one will be able to hack it and mess up your game related data.

The encryption algorithms used by SOOMLA

SOOMLA uses the AES algorithm for encryption. This algorithm is a standard symmetric encryption algorithm and we use it to secure the user’s data on the device. It’s a common approach to solve these kinds of problems.

Answering the ERN authorization question by Apple

SOOMLA’s main intention is to solve problems of game and gaming related apps. Generally, gaming apps don’t need to submit to “ERN authorization” so if you develop these kinds of apps you should answer “NO” when you see the “ERN authorization” question on itunesconnect. (You might have some specific encryption in your game. You should look into the itunesconnect FAQ to see if you need to submit your specific application to “ERN authorization”.)

One way to check if your app needs to submit to “ERN authorization”:

  • (from the FAQ)
    How do I know if I can follow the Exporter Registration and Reporting (ERN) process?
    If your app uses, accesses, implements or incorporates industry standard encryption algorithms for purposes other than those listed as exemptions under question 2, you need to submit for an ERN authorization. Examples of standard encryption are: AES, SSL, https. This authorization requires that you submit an annual report to two U.S. Government agencies with information about your app every January.
  • (from question 2)
    (i) if you determine that your app is not classified under Category 5, Part 2 of the EAR based on the guidance provided by BIS at http://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#One. The Statement of Understanding for medical equipment in Supplement No. 3 to Part 774 of the EAR can be accessed at Electronic Code of Federal Regulations site. Please visit the Question #15 in the FAQ section of the encryption page for sample items BIS has listed that can claim Note 4 exemptions.
  • (from http://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#One)
    Is the product described by Note 4?
    Items described by Note 4 are not controlled under Category 5, Part 2 of the EAR. See “What items are removed from encryption controls? ” for additional guidance.
  • (from “What items are removed from encryption controls?”)
    (a) The primary function or set of functions is not any of the following:
    (1) “Information security”;
    (2) A computer, including operating systems, parts and components therefor;
    (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights
    management or medical records management); or
    (4) Networking (includes operation, administration, management and provisioning);
    (b) The cryptographic functionality is limited to supporting their primary function or set of functions; and
    (c) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s
    country in order to ascertain compliance with conditions described in paragraphs (a) and (b) above.

Games usually conform to Note 4 so they are not controlled under Category 5, Part 2 of the CCL.

READ THIS: This explanation is complementary. You shouldn’t take it as a rule or suggestion of any kind. SOOMLA doesn’t take any responsibility for any damage you may have by accepting or following anything we wrote here. You should check if your specific app conforms with EAR and submit to “ERN authorization” if you see fit.

Feel free to share:

LEAVE A REPLY

Please enter your comment!
Please enter your name here