OpenDrop - App Store Export Compliance Documentation

Complete System Documentation (Desktop Server + Mobile App)

Executive Summary

Item Value
App Name OpenDrop
Version 0.6.91
Platforms iOS, Android, macOS, Windows, Linux
Uses Encryption Yes
Proprietary Encryption No
Exemption Claimed EAR 740.17(b)(1) - Mass Market
Key Finding: OpenDrop uses only standard, publicly available encryption algorithms provided by operating systems, platform SDKs, and widely-used open-source libraries. No proprietary or custom encryption is implemented.

Encryption Overview

Summary of Encryption Usage

Component Encryption Type Standard Implementation
Network Communication TLS 1.2/1.3 IETF RFC 8446 Platform SSL/TLS
Authentication OAuth 2.0 IETF RFC 6749 Firebase Auth, Google Sign-In
ID Tokens JWT IETF RFC 7519 Firebase ID Tokens
In-App Purchases TLS Platform Standard RevenueCat SDK
Cloud Sync HTTPS IETF RFC 2818 Cloudflare Workers
Tunnel QUIC/TLS 1.3 IETF RFC 9000 cloudflared

What OpenDrop Does NOT Use

Mobile App Encryption

Platform: iOS & Android (Flutter/Dart)

1. Firebase Authentication

Library: firebase_auth (Flutter)
Purpose: User authentication and session management
Encryption: TLS 1.2/1.3 (platform-provided)
Standards: OAuth 2.0 (RFC 6749), JWT (RFC 7519)

Usage in Code:

2. Google Sign-In

Library: google_sign_in (Flutter)
Purpose: OAuth 2.0 authentication with Google
Encryption: TLS via platform SDK
Standards: OAuth 2.0 (RFC 6749, RFC 6750)

Usage in Code:

3. RevenueCat (In-App Purchases)

Library: purchases_flutter
Purpose: Subscription management and purchase verification
Encryption: TLS 1.2/1.3 (SDK-provided)
Standards: HTTPS, platform billing APIs

Usage in Code:

4. HTTP Communication (Dio)

Library: dio (Dart)
Purpose: API calls to OpenDrop desktop server
Encryption: TLS via platform SSL/TLS stack
Standards: HTTPS (RFC 2818)

Usage in Code:

5. QR Code Scanning

Library: mobile_scanner
Purpose: Scan QR codes for connection setup
Encryption: None (camera input only)

Note: QR scanning itself does not use encryption. The scanned data (connection URL and secret) is transmitted over HTTPS.

Mobile Encryption Summary Table

File Component Encryption Used
main.dart Firebase init, RevenueCat init TLS (platform)
auth_service.dart Firebase Auth, Google Sign-In OAuth 2.0, TLS
subscription_service.dart RevenueCat purchases TLS (SDK)
api_service.dart Server API calls HTTPS/TLS
file_uploader.dart File upload HTTPS/TLS
firebase_options.dart Firebase config N/A (config only)
qr_scan_page.dart QR scanning None

Desktop Server Encryption

Platform: Python (Windows, macOS, Linux)

1. HTTPS Communication

Library: requests (Python)
Purpose: Sync data to Cloudflare Worker
Encryption: TLS 1.2/1.3 via OS SSL stack
Standards: HTTPS (RFC 2818)

Usage in Code:

2. OAuth 2.0 Authentication

Library: google-auth-oauthlib
Purpose: Google Sign-In for desktop
Encryption: TLS via requests library
Standards: OAuth 2.0 (RFC 6749, RFC 6750)

Usage in Code:

3. Cloudflare Tunnel

Binary: cloudflared
Purpose: Secure tunnel exposing local server
Encryption: QUIC with TLS 1.3
Standards: QUIC (RFC 9000), TLS 1.3 (RFC 8446)

Usage in Code:

4. Session Management

Implementation: Server-generated tokens
Purpose: Authenticated session continuity
Transmission: HTTPS headers

Usage in Code:

Server Encryption Summary Table

File Component Encryption Used
cloud_sync.py Worker sync, heartbeat HTTPS/TLS
tunnel.py Cloudflare tunnel TLS 1.3/QUIC
middleware.py Session validation None (token comparison)
health.py Session creation None (token generation)
paths.py Token file storage None (plaintext JSON)

Third-Party SDKs

SDK Encryption Attestations

SDK Provider Encryption Documentation
Firebase Google TLS 1.2+ Firebase Security
RevenueCat RevenueCat TLS 1.2+ RevenueCat Security
Google Sign-In Google OAuth 2.0/TLS Google Identity
Cloudflare Cloudflare TLS 1.3 Cloudflare Security
Dio pub.dev Platform TLS Uses system certificates

All third-party SDKs use standard encryption provided by their respective platforms and comply with international encryption standards.

Export Compliance Questionnaire

U.S. Export Administration Regulations (EAR) Responses

Q1: Does your app use encryption?

Yes

Q2: Does your app qualify for any exemptions provided in Category 5, Part 2 of the EAR?

Yes - Mass market exemption under EAR 740.17(b)(1)

Q3: Does your app implement any proprietary or non-standard cryptographic algorithms?

No - All encryption uses industry-standard algorithms

Q4: Does your app only use encryption provided by the operating system?

No - The app uses additional standard third-party libraries, but all implement standard algorithms

Q5: Is your app available without restriction?

Yes - Available to general public

Q6: Is the encryption user-configurable?

No - Users cannot modify encryption settings

Q7: Is your app designed for government use?

No - Consumer file sharing application

Exemption Qualification

Requirement Status Evidence
Uses standard encryption ✅ Met TLS, OAuth 2.0, JWT only
Available to general public ✅ Met App Store / Play Store distribution
No government-specific features ✅ Met General file sharing utility
Encryption not user-modifiable ✅ Met No encryption settings exposed
Not for military/intelligence ✅ Met Consumer application
Mass market distribution ✅ Met Available worldwide

App Store Connect Submission Guide

Step-by-Step Answers

When submitting your app to App Store Connect, you will be asked about export compliance. Use these answers:

Screen 1: Export Compliance

"Does your app use encryption?"

Select: Yes

Screen 2: Exemption Qualification

"Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?"

Select: Yes

Screen 3: Encryption Type

"Does your app contain, use, or access third-party encryption?"

Select: Yes

"Does your app implement or use cryptography that is proprietary or not accepted as standard by international standard bodies (IEEE, IETF, ITU, etc.)?"

Select: No

Screen 4: Distribution

"Is your app going to be available on the French App Store?"

Select: Yes (app qualifies for all territories)

Annual Self-Classification Report

If required, use BIS classification:

Declaration Statement

For Apple App Store Review

OpenDrop version 0.6.91 uses encryption exclusively for:

  1. Secure network communication via HTTPS using standard TLS 1.2/1.3 protocols
  2. User authentication via OAuth 2.0 (Google Sign-In) and Firebase Authentication
  3. In-app purchase verification via RevenueCat SDK using platform billing APIs
  4. Secure tunneling via Cloudflare's publicly available tunnel software
  5. JWT token handling for session management using standard RFC 7519 format

No proprietary encryption algorithms are implemented. All cryptographic functionality is provided by:

This application qualifies for the mass market encryption exemption under U.S. Export Administration Regulations section 740.17(b)(1).

For Google Play Console

OpenDrop uses encryption for secure data transmission only. All encryption is provided by:

No custom or proprietary encryption algorithms are used.

Technical Architecture Diagram

┌─────────────────────────────────────────────────────────────────┐
│                        OPENDROP SYSTEM                          │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ┌─────────────────┐         HTTPS/TLS          ┌────────────┐  │
│  │   Mobile App    │◄──────────────────────────►│  Firebase  │  │
│  │   (Flutter)     │         OAuth 2.0          │   Auth     │  │
│  └────────┬────────┘                            └────────────┘  │
│           │                                                     │
│           │ HTTPS/TLS                                           │
│           │                                                     │
│           ▼                                                     │
│  ┌─────────────────┐         HTTPS/TLS          ┌────────────┐  │
│  │   RevenueCat    │◄──────────────────────────►│   Store    │  │
│  │      SDK        │                            │   APIs     │  │
│  └─────────────────┘                            └────────────┘  │
│                                                                 │
│  ┌─────────────────┐      TLS 1.3/QUIC          ┌────────────┐  │
│  │  Desktop Server │◄──────────────────────────►│ Cloudflare │  │
│  │    (Python)     │         Tunnel             │   Edge     │  │
│  └────────┬────────┘                            └────────────┘  │
│           │                                                     │
│           │ HTTPS/TLS                                           │
│           ▼                                                     │
│  ┌─────────────────┐                            ┌────────────┐  │
│  │   Cloudflare    │◄──────────────────────────►│   Mobile   │  │
│  │     Worker      │         HTTPS/TLS          │    App     │  │
│  └─────────────────┘                            └────────────┘  │
│                                                                 │
│  ┌─────────────────────────────────────────────────────────┐    │
│  │                  ENCRYPTION STANDARDS                   │    │
│  │  • TLS 1.2/1.3 (IETF RFC 8446)                          │    │
│  │  • OAuth 2.0 (IETF RFC 6749)                            │    │
│  │  • JWT (IETF RFC 7519)                                  │    │
│  │  • HTTPS (IETF RFC 2818)                                │    │
│  │  • QUIC (IETF RFC 9000)                                 │    │
│  └─────────────────────────────────────────────────────────┘    │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

All connections use standard encryption - NO proprietary algorithms

Document Information

Field Value
Document Version 2.0
Created January 2026
App Version 0.6.91
Author NFDGames
Covers Desktop Server + Mobile App

Appendix A: Code File Encryption Reference

Mobile App Files

File Encryption Relevance
main.dartFirebase & RevenueCat initialization
auth_service.dartOAuth 2.0 flows, Firebase Auth
subscription_service.dartRevenueCat purchase verification
api_service.dartHTTPS API communication
file_uploader.dartHTTPS file transfer
config.dartAPI keys (no encryption code)
firebase_options.dartFirebase config (no encryption code)
qr_scan_page.dartNo encryption
connection_status.dartNo encryption (enum only)
main_screen.dartNo encryption (UI only)
open_drop_app.dartNo encryption (UI only)
files_tab.dartUses ApiService (HTTPS)
upload_tab.dartUses ApiService (HTTPS)
shared_folders_tab.dartUses ApiService (HTTPS)
recently_deleted_screen.dartUses ApiService (HTTPS)
auth_screen.dartUses AuthService (OAuth)
file_action_menu.dartNo encryption (UI only)

Desktop Server Files

File Encryption Relevance
cloud_sync.pyHTTPS requests
tunnel.pycloudflared TLS tunnel
auth.pyOAuth 2.0 token management
middleware.pySession token validation
health.pySession token creation
app.pyNo encryption (routing)
config.pyNo encryption (config)
paths.pyNo encryption (file paths)
files.pyNo encryption (file ops)
folders.pyNo encryption (folder ops)
trash.pyNo encryption (trash ops)
settings.pyNo encryption (settings)
utils.pyNo encryption (utilities)
validation.pyNo encryption (validation)
gui_app.pyNo encryption (UI)
gui_styles.pyNo encryption (UI)
updater.pyHTTPS for update checks

Appendix B: Compliance Checklist

Before submission, verify: