What you need to know about Export Compliance 
First, let's give a disclaimer - Cisco makes no representation or warranty as to the accuracy of the information contained here, and it should not be considered legal guidance or advice. We're not inviting reliance on this information and it is for general information purposes only!
If an app contains encryption, it is necessary to comply with U.S. export control law - developers seeking to publish apps for distribution via Cisco AppHQ are responsible for obtaining required government approvals.
If an app does not contain encryption, government approvals are usually not needed.
Cisco AppHQ is hosted from the U.S. and therefore it is necessary to comply with U.S. export control requirements. Third party developers are responsible for proper classification of apps under U.S. rules, as well as compliance with regulations that may apply for import or sales into countries outside of the U.S. such as France, Hong Kong, Russia, Singapore, China, etc.
It is the responsibility of developers to understand U.S. export compliance obligations and to provide a complete and accurate U.S. export classification for their respective app(s).
Apps that are classified as "Restricted" under § 740.17(b)(2) of the U.S. Export Administration Regulations (EAR) are tightly controlled with license and reporting obligations. At this time, third party apps that are classified as "Restricted" may not be posted or distributed from Cisco AppHQ.
Apps that are categorized as "Unrestricted" or "Mass Market" and thus eligible to both government and non-government end-users under § 740.17(b)(1), § 740.17(b)(3) or § 742.15(b) may be posted to Cisco AppHQ.
An app may need to have been submitted for a formal U.S. Department of Commerce review and classification ("CCATS") before it can be exported, or it may require an Encryption Registration Number (ERN). If so, the third party developer must upload a copy of its CCATS, or its ERN, noting the app's Export Control Classification Number ("ECCN") for completeness.
To receive a CCATS, third party developers must submit a Commodity Classification Request to the U.S. Department of Commerce. More information on how to obtain a CCATS can be found here.
To obtain an Encryption Registration Number, see here.
So, in summary, once a manufacturer (or producer) of the encryption item submits its Encryption Registration (i.e. the information described in Supplement No. 5 to Part 742 of the EAR) to the U.S. Bureau of Industry and Security (BIS), the manufacturer's encryption items become eligible for export and re-export under the applicable provisions of § 740.17(b) and § 742.15(b) of the EAR, subject to the conditions and restriction of those sections... e.g. if the item meets the criteria of § 740.17(b)(3) and § 742.15(b)(3), then it's not eligible for export with just an ERN - a CCATS is also required before the item can be exported.