US crypto export regulations for Themis #
When you distribute apps via platforms like App Store or Google Play, the binaries are typically hosted on servers located within US, owned by US companies. United States laws treat this activity as export, which is heavily regulated for cryptography.
However, typical Themis use cases fall under “open source” exceptions. This makes compliance much easier if your app is open source as well.
Note: If your app is not open source or is not distributed free of charge, we strongly recommend that you seek professional legal advice.
Submitting apps to App Store #
If your application uses Themis and you want to submit it to the Apple App Store, you are required to do the following:
Indicate that you’re using cryptography when submitting your application for review.
Select “YES” to say that your application incorporates cryptography.
Apply for the “open source” exemption.
When filling the next step in the App Store submission form, select “NO” in the Export Compliance section.
Themis cryptographic library is exempt from the need for detailed classification. Themis uses standard publicly available ciphers provided by open source OpenSSL and BoringSSL libraries on Apple platforms.
Send an annual (year-end) self-classification report to the US government to comply with the encryption export regulations.
Submitting apps to Google Play #
If your application uses Themis and you want to submit it to the Google Play, you are required to do the following:
- Send an annual (year-end) self-classification report to the US government to comply with the encryption export regulations.
Read more in the Google Play guidelines.
Submitting an annual self-classification report to BIS #
The procedure is as follows.
- Download a copy of the sample CSV file from the BIS website.
- Fill it out with your own details.
- Email your CSV file to email@example.com and firstname.lastname@example.org.
These are the values that most of our customers use in their CSV reports:
AUTHORIZATION TYPE: MMKT
ITEM TYPE: Mobility and mobile applications n.e.s.
NON-U.S. COMPONENTS: N/A
NON-U.S. MANUFACTURING LOCATIONS: N/A
Please see How to file an Annual Self Classification Report by the Bureau of Industry and Security for more details.
Additional resources #
For further guidance, see these resources:
A very nice and frequently updated write-up on submitting the self-classification report by a developer who does it regularly.
Useful recommendations in Supplement No. 8 to Part 742—Self-Classification Report for Encryption Items.
Knowing the difference between 5d002 and 5d992.
Our older article "Apple Export Regulations on Cryptography" (a lot has changed since 2017 when it was originally written, but it’ll give you an insight on why it is necessary to register the encryption tools you use in your applications).