When deploying to the App Store especially Apple will do a proper review. When using encryption this should be mentioned in the application form for the App Store.
As the Base Engine uses encryption this should be mentioned. You should mention this is only for authentication purposes. Although clearly defining encryption is only used for authentication you should request an Encryption Registration Number (ERN) at BIS. By having this registration you apply to the US export policies. A good tutorial for this process can be found here: link (external link)
The Onegini SDK uses PGP encryption to encrypt the communication required for mobile authentication via push through a SSL tunnel. When enabling mobile authentication this PGP usage should be mentioned. Onegini only uses public domain encryption mechanisms, so you don’t have to go through the complete CCATS procedure. Only the short procedure would do as described in the blog post.
If any other encryption mechanisms are used in the functional app this should also be mentioned.