Relevant bits as of mid 2015:
https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items
This describes encryption export stuff. One of the important things in this is "Note 4".
https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#Three
Note 4: Category 5, Part 2 does not apply to items incorporating or using "cryptography" and meeting all of the following:
(a) The primary function or set of functions is not any of the following:
(1) "Information security";
(2) A computer, including operating systems, parts and components therefor;
(3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights
management or medical records management); or
(4) Networking (includes operation, administration, management and provisioning);
(b) The cryptographic functionality is limited to supporting their primary function or set of functions; and
(c) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s
country in order to ascertain compliance with conditions described in paragraphs (a) and (b) above.
But then there's this:
http://www.bis.doc.gov/index.php/policy-guidance/encryption/encryption-faqs
Examples of items that are excluded from Category 5, Part 2 by Note 4 include, but are not limited to, the following:
Consumer applications. Some examples:
piracy and theft prevention for software or music;
music, movies, tunes/music, digital photos – players, recorders and organizers
games/gaming – devices, runtime software, HDMI and other component interfaces, development tools
LCD TV, Blu-ray / DVD, video on demand (VoD), cinema, digital video recorders (DVRs) / personal video recorders (PVRs) – devices, on-line media guides, commercial content integrity and protection, HDMI and other component interfaces (not videoconferencing);
printers, copiers, scanners, digital cameras, Internet cameras – including parts and sub-assemblies
household utilities and appliances
So to sum up: if your application's main function is not cryptography, and you're using cryptography just for transmitting game info or just for logging in, your app will not be controlled by export law.
But I'm not a lawyer, and if you're really worried about it, consult one. Apple divests themselves of any responsibility for checking this. If you say "no" and you're wrong, it's your problem, not theirs.