Logo

github Download
US crypto export regulations

US crypto export regulations for Themis #

When you distribute apps via platforms like App Store or Google Play, the binaries are typically hosted on servers located within US, owned by US companies. United States laws treat this activity as export, which is heavily regulated for cryptography.

However, typical Themis use cases fall under “open source” exceptions. This makes compliance much easier if your app is open source as well.

Note: If your app is not open source or is not distributed free of charge, we strongly recommend that you seek professional legal advice.

Submitting apps to App Store #

If your application uses Themis and you want to submit it to the Apple App Store, you are required to do the following:

  1. Indicate that you’re using cryptography when submitting your application for review.

    Select “YES” to say that your application incorporates cryptography.

  2. Apply for the “open source” exemption.

    When filling the next step in the App Store submission form, select “NO” in the Export Compliance section.

    Themis cryptographic library is exempt from the need for detailed classification. Themis uses standard publicly available ciphers provided by open source OpenSSL and BoringSSL libraries on Apple platforms.

  3. Send an annual (year-end) self-classification report to the US government to comply with the encryption export regulations.

Read more in the official Apple export compliance overview and BIS guidelines (you might need to use a VPN to access it).

Submitting apps to Google Play #

If your application uses Themis and you want to submit it to the Google Play, you are required to do the following:

  1. Send an annual (year-end) self-classification report to the US government to comply with the encryption export regulations.

Read more in the Google Play guidelines.

Submitting an annual self-classification report to BIS #

The procedure is as follows.

  1. Download a copy of the sample CSV file from the BIS website.
  2. Fill it out with your own details.
  3. Email your CSV file to crypt-supp8@bis.doc.gov and enc@nsa.gov.

These are the values that most of our customers use in their CSV reports:

ECCN: 5D992.c

AUTHORIZATION TYPE: MMKT

ITEM TYPE: Mobility and mobile applications n.e.s.

NON-U.S. COMPONENTS: N/A

NON-U.S. MANUFACTURING LOCATIONS: N/A

Please see How to file an Annual Self Classification Report by the Bureau of Industry and Security for more details.

Additional resources #

For further guidance, see these resources: