My app uses the Apple Push Notification service to receive pushes from my server. Question one of attempting to add an app to the app store:
Is your product designed to use cryptography or does it contain or incorporate cryptography?
Which is a yes, directly because of their push service generating and distributing keys.
Followed by:
Does your product qualify for any of the exemptions provided in Category 5 part 2?
You are responsible for the proper classification of your product; make certain that it meets the criteria of the exemption (listed here). Otherwise you may be in violation of the US export laws and could be subjected to penalties including delisting of your app from App Store. Please go through the FAQ page thoroughly before attempting to answer the question.
You can answer "YES" to question #2, if the encryption in your app is: (a) is specially designed for medical end-use; (b) is limited to intellectual property or copyright protection; (c) is limited to authentication, digital signature or the decryption of data or files; (d) is specially designed and limited for banking use or 'money transactions'; (e) is limited to “fixed” data compression or coding techniques; or (f) if your app meets the descriptions provided in Note 4 to Category 5 Part 2.
And, honestly I don't know how Apple presents you with the device tokens. Possible exception could fall under the (c) clause but I don't know how apple uses their encryption. Their docs say "an accredited and encrypted IP connection" is established but not how it's used. Or it could fall under the (e) clause but they don't document what their encryption method is. Their FAQ (you'll need an itunes connect account to see it) lists these encryption methods for the exception:
(iii) your app uses, accesses, implements or incorporates encryption with key lengths not exceeding 56 bits symmetric, 512 bits asymmetric and/or 112 bit elliptic curve
(iv) your app is a mass market product with key lengths not exceeding 64 bits symmetric, or if no symmetric algorithms, not exceeding 768 bits asymmetric and/or 128 bits elliptic curve.
Which I don't understand, though I would expect Apple to conform to something like that?
Also possible is:
(vi) the source code of your app is “publicly available”, your app distributed at free of cost to general public, and you have met the notification requirements provided under 740.13.(e).
Which is cited by Urban airship as a reason using their service qualifies as an exception along with the key length. But... Apple is anything but open source.
How did you guys approach this?