[profmonocle]

It's quite likely they don't enforce it very well.

I specifically asked them if using NSURLConnection (the standard, built-in URL library before NSURLSession) to access a URL over HTTPS qualified under the registration requirements. They told me, in no uncertain terms, that using any cryptography, including cryptography built into the operating system, meant I needed to register if I wanted to export the app outside of the US and Canada. I promise you, I didn't misinterpret. Though as you say, it's very possible the person I spoke to was wrong, or that their interpretation of the law was overly cautious and they've changed their policies.

[rimantas]

Well, all apps in App Store are encrypted/signed. So they literally all use cryptography in that sense. Does not make sense.

[fpgeek]

I suspect the distinction is that the cryptography for encrypting and signing apps is done by Apple (and they've done all the paperwork for themselves).

[pupeno]

First, if all your app does is download encrypted information and decrypt it, you might be covered under one of the exceptions.

Obviously the App Store is using HTTPS, so it's not. The App Store is a program by Apple and I'm sure Apple has an ERN to cover their asses.

[pupeno]

They don't enforce it at all. Not even the US BIS really looks at your application to approve it as far as I can tell, because mine was approved instantly. They do have a lot of checks to make sure the record of your company and app are somewhat well formed.

When it comes to Apple, they don't check for this, they just want you to be on the record with either an ERN or the claim of no encryption, so that it's not their fault if the US government comes and says "hey, about all those apps you are exporting, are they using munition-level tech?"