Export Requirements for Applications Using SQLCipher

This document contains information related to Import / Export requirements for applications that utilize SQLCipher, which includes strong cryptography.

When using SQLCipher you are responsible for compliance with all export, re-export and import restrictions and regulations in all applicable countries.

United States Export Controls

Any application using strong cryptography, including those using SQLCipher, and that will be exported from the United States, must ensure compliance with the BIS / DOC export requirements.

In practice this means that all applications distributed through commercial “App Stores” (i.e. iTunes, Google Play, Windows Store, etc) should go through the export compliance process, even if the applications are authored by developers outside of the US.

Export counselors at the BIS and Apple legal have both advised that, at least for mass market products, each party marketing and exporting an application that includes encryption is responsible for their own classification and reporting. Thus the application developer has a responsibility for filing annual self-classification reports that list every product that uses encryption. Note that an Encryption Registration Number (ERN) previously needed to be assigned prior to self-classification, however, that requirement has been removed in the latest versions of the EAR effective in 2017.

Note that if you communicate with the BIS coordinators or other counsel, you may wish to mention that your application will be distributed commercially and that the underlying encryption library (SQLCipher) that was previously classified as mass market under ECCN 5D992c.

French Import / Export Controls

French law limits importing and exporting applications with strong cryptography. A declaration or approval from the French Agence nationale de la sécurité des systèmes d’information (ANSSI) is required. Zetetic has filed a declaration in France with the ANSSI to allow us to provide SQLCipher to the French market.

However, like in the US, declarations and approvals are not transitive. In other words, each company that include encryption in a product is responsible for their own declaration in France. Thus, while our declaration for SQLCipher allows us to provide the library in France, it does not extend to third party applications that use SQLCipher as a library.

As a result, your company is responsible for submitting a declaration for each application/product to the French ANSSI. You may reference our declaration number, 16060359, and indicate that you use SQLCipher when you file your own declaration. This may accelerate review and minimize the amount of technical information you need to provide in the declaration.

Other Restrictions

As noted here, SQLCipher is an export restricted product. These restrictions and the terms of the SQLCipher License agreement specific prohibit export to restricted, embargoed, or sanctioned destinations (e.g Cuba, Iran, North Korea, Sudan, or Syria), Denied Persons, Unverified Parties, and Restricted Entities.

Important Disclaimer

We aren’t attorneys or export control experts. This information is not intended as legal advice. Use this information at your own discretion and consult an expert or legal council if you need guidance. In the US, the BIS export counselors can be very helpful and they have some people that specialize on the crypto requirements. In France, the ANSSI is the primary organization to contact for cryptography import / export requirements.

Hello,

Thanks for the details. Since my App is using SQLCipher, Apple has rejected my App to be published in French App Store and have asked me to provide the clearance certificate from French government.

Do I really require that? There is also a discussion going on about this at https://groups.google.com/forum/#!topic/sqlcipher/nNKCPwHjDLs

Please let me know do i really need that certificate from Apple.

Regards
Sunny

Hello @hkumar

Unfortunately we can not provide much additional guidance with regard to app store submissions in the French marketplace as we do not sell our products there at this time. There is another thread on our mailing list in which another user has successfully completed the French approval process for export compliance. You may wish to review it here.

Thanks a lot. I’ll go with that.

Cheers
Hemant

Dear @hkumar ,

please can I ask you, did you have SQLCipher compiled with using external openssl or it used only iOS CommonCrypto?

please if somebody knows, if SQLCipher needs ERN number and French encryption as well, let me know.

regards
tomas

@developernotes, So, does it “use encryption limited to that within the Apple operating system” or not? Because we have to answer this question in iTunes Connect.

1 Like

@revolter - SQLCipher’s encryption is above and beyond that provided by the Apple operating system.

1 Like

Thera are some dead links in the “United States Export Controls” section.