ERN Registration for SSL use in Mobile Apps


Apps built with MobileTogether include the ability to use SSL encryption between the mobile app and the back-end server, and with it come restrictions on importing and exporting the app in the United States and potentially other countries. If you intend to submit the AppStore App to Apple’s App Store or Microsoft’s App Store (and potentially others), their submission processes will ask whether the app includes encryption. Since all AppStore Apps built with MobileTogether include the ability to use the OS-provided libraries for SSL use in mobile apps and in particular for the encryption of the communication between the mobile app and server using the https protocol, the answer to this question is “YES.” At some point in the process, this answer will then trigger a prompt to upload your Encryption Registration Number (ERN). So how does one obtain an ERN?

shutterstock_260811158

You obtain an ERN from the Bureau of Industry and Security (BIS), which is part of the U.S. Department of Commerce. They suggest that this process will only take 30 minutes, but this is overly optimistic for all but the most experienced.

The first step in the registration process is to identify your AppStore App export control classification number (ECCN). The classification will determine whether you can self-classify the software and export it with or without an encryption registration, or whether you require a separate export license. The generic MobileTogether App is classified as 5D992.c, which means that it can be exported to all but sanctioned destinations and parties of concern. Your AppStore App built with MobileTogether is likely also 5D992.c.

The Bureau of Industry and Security (BIS) website offers a wealth of information to help you classify your AppStore App. A good place to start is at this link. BIS has also developed two flow charts that help guide the decision making process. This first flow chart here:

flowchart1

quickly leads to the second flow chart:

flowchart2

BIS offers the option to have them help you determine your ECCN.  However, the process is largely the same as submitting an actual registration request, which is discussed next.

Over the years, BIS has greatly simplified the registration process by developing the Simplified Network Application Process – Redesign, better known as SNAP-R. To begin, you will need to create an account here. During that process, you will complete an online form, which is submitted to BIS.  Thereafter, you will receive your login, password, and CIN or Company Identification Number. You may need to contact BIS by telephone to complete the CIN process. If you already have a SNAP-R account, then you will need the login, password, and CIN.

Next, you need to prepare the application and the supporting documentation. Examples of the process can be found here: https://snapr.bis.doc.gov/snapr/docs/loginHelp.html#AppendC. You may need to submit spec sheets and marketing material that describe the product as well as the type of encryption used. By default the AppStore App will include SSL to authenticate the communications between the AppStore App and the MobileTogether Server. Further, the AppStore App will use SSL to encrypt the data transmitted between the two. Thus, the AppStore App does more than merely use the encryption for authentication purposes, hence the need for an ERN. The SSL encryption being used by the AppStore App is the standard SSL library functionality provided by the API/SDK on the respective mobile operating system.

You will also be required to submit Supplement No. 5 to Part 742 – Encryption Registration. A link to the supplement questions can be found here. Again, almost all questions regarding classification, registration, and supporting documentations can be answered by reference to the BIS Registration page. Once you submit your self-certification registration, you will automatically receive your ERN, absent an error or question by BIS. Remember that your self-certification will require annual renewal by the end of February each year, regardless of when you obtain your ERN.

With the ERN in hand, you will now be in a position to submit your AppStore App. One step in the app store submission process will typically be called Export Compliance. It is at that stage that you will then need to upload a PDF with your ERN that you have obtained from Snap-R.

Obtaining an encryption registration number and submitting the AppStore App to an app store can be technical and carry with it serious legal consequences if not done properly. If you are not familiar with this process, it is highly recommended that you seek legal advice. The descriptions herein are meant to provide a brief summary of the process and cannot answer every question relative to your specific situation.  Should you have additional questions, please consult with legal counsel.

Tags: , , , , , , , , , ,