I would like to know from folks with HTTPS apps distributed in France if its still required to submit documents to the French Gov. ?
Ive started to translate/fill them out but theyre super difficult to understand - hopefully I can just stop working on this if the iOS Console is out of date with the real world as per usual.
Thanks for your answers and hopefully others will find them useful as well
No. Just add the ITSAppUsesNonExemptEncryption key to your app’s Info.plist file with a Boolean value that indicates whether your app uses encryption. Set the value to NO if your app—including any third-party libraries it links against—doesn’t use encryption, or if it only uses forms of encryption that are exempt from export compliance documentation requirements. Otherwise, set it to YES.
Reference: https://developer.apple.com/documentation/security/complying_with_encryption_export_regulations
Related
I am currently working on a application that uses both HTTPS endpoints and HTTP endpoints. Now I want to conform to Application Transport Security for iOS9 by making a NSExceptionDomainsdictionary in the plist, but the amount of 3rd party endpoints my application hits is dynamic and always growing so to do this would be a fairly tedious task.
So while I could just set NSAllowsArbitraryLoads to YES I would much rather have ATS off by default except for my handful of secure HTTPS endpoints. Is it possible to do this? I saw one blog post about someone configuring the plist this way.
But I cannot find any information verifying that this is a valid solution, nor do I know how to know if a HTTPS request is using ATS. Does anyone know if this is possible or how to know if this is working?
EDIT
It's worth mention that the tags in the current app documentation is incorrect.
NSExceptionAllowInsecureHTTPLoads
NSExceptionRequiresForwardSecrecy
NSExceptionMinimumTLSVersion
NSThirdPartyExceptionAllowsInsecureHTTPLoads
NSThirdPartyExceptionMinimumTLSVersion
NSThirdPartyExceptionRequiresForwardSecrecy
Are Actually
NSTemporaryExceptionAllowsInsecureHTTPLoads
NSTemporaryExceptionRequiresForwardSecrecy
NSTemporaryExceptionMinimumTLSVersion
NSTemporaryThirdPartyExceptionAllowsInsecureHTTPLoads
NSTemporaryThirdPartyExceptionMinimumTLSVersion
NSTemporaryThirdPartyExceptionRequiresForwardSecrecy
After doing some more research I was able to answer my own question. So basically you are saying everything needs to default to not using ATS by setting NSAllowsArbitraryLoads = YES.
But then in your exceptions dictionary(NSExceptionDomain) you are specifying endpoints that you want to act differently. So that means you can put your HTTPS endpoints in this list and specify it to use ATS by setting NSTemporaryExceptionAllowsInsecureHTTPSLoads to NO. I was able to verify this by putting a unsecure endpoint itunes.apple.com and trying to reach it. When I set NSTemporaryExceptionAllowsInsecureHTTPSLoads to NO it failed and complained about it not being secure.
This may be obvious to most people but with the little documentation out there I hope this helps.
Hi I asked a question earlier and could not get a perfect answer for it.
So let me ask this question once more, I have a requirement where I will be password protecting all my files in the NSDocumentsDirectory with a key that will be pushed from a server every day. What is the best way to do it without taking a hit on performance.
I would also be doing the key refresh whenever a key expires and I should re-encrypt or re-protect all my files in the directory. I would be storing the key from server using iOS keychain.
I tried NSFileManager's File Protection Values but I could not use my own key there.
I saw all this
http://developer.apple.com/library/ios/#documentation/iphone/conceptual/iphoneosprogrammingguide/AdvancedAppTricks/AdvancedAppTricks.html
What are the new "iOS data protection APIs"?
What are the new "iOS data protection APIs"?
Secure contents in Documents directory
http://iphonedevelopment.blogspot.in/2009/02/strong-encryption-for-cocoa-cocoa-touch.html
http://pastie.org/426530
NSFileProtectionComplete for iOS 4.0 apps
and did not know how to proceed. So please guys any help would be of great use. Any sample or good way to implement or any one has done something like this before.
Thanks a ton, in advance.
Is there any possibility for a GAS published as a Web App executing under the identity of the active user and using the Ui Service for user interface to get the preferred language and time zone of the user?
Session.getActiveUser() works but you only get the Email Session.getActiveUser().getEmail().
Session.getTimeZone() returns the time zone of the script, not of the user.
Could there be a trick to get the web browser ID string with the language preference?
Session.getActiveUserLocale() was introduced in 2014 to provide this capability.
This is a very interesting question. I think the short answer is that there is no good way for now and you have to ask the users for their locale/language.
I don't see a way to do this on the server side using the APIs you've already discussed. However, I was thinking maybe there is a clever way to do this on the client side and send send it up to the server using the google.script API after getting the locale information from the navigator.language JS call.
Unfortunately, since the HTML/JS you have in your web app gets sanitized for security through Caja, only portion of the normal window.navigator properties are exposed. It seems the only useful properties are userAgent, and platform. Language seems innocuous enough to expose, so this is worth logging a request in the Issue Tracker.
I want to encrypt communication between iPhone and my server and I will not use SSL for that. Do I still need ERN or CCATS application for that?
It really depends on what type of encryption you are using. What is the level of encryption? Is it open source?
To see whether you need a ERN, please review the following flowchart:
Flow Chart 2: Classifying under an ECCN in Category 5, Part 2
http://www.bis.doc.gov/index.php/forms-documents/doc_view/328-flowchart-2
The flowchart will help point you in the right direction in the BIS.
This FAQ is helpful too:
http://www.bis.doc.gov/index.php/policy-guidance/encryption/registration
Getting ready to submit my app to the Apple's Itunes store and got puzzled by a question during the submission process: "Export laws require that products containing encryption be properly authorized for export...... Does your product use encryption?"
I've used CommonCrypto CommonCryptor.h to encode settings file against its unauthorized modifications.
So now I'm not sure if I have to remove all the encryption completely and leave just an xml file basically as is or should I use some other method to protect the file.
What other simple protection mechanisms I can use to protect it and at the same time do not use any encryption so I can submit my app without tons of extra paperwork?
Your use of "encryption" is not subject to US export rules because it's not for "information security" (I think you answer "yes, yes, yes, no" or so, ICBW, or they could have changed the order). Essentially, if it doesn't stop the NSA from spying on you, they're happy to let you use it.
However, encryption traditionally provides confidentiality, not message integrity. If you want to ensure that the user hasn't tampered with the settings file (e.g. by editing the iPhone backup), just save it with a MAC. That is,
Generate a MAC key (pull some bytes out of /dev/random).
Calculate the MAC of the file when you save it (see Objective-C sample code for HMAC-SHA1; note that the accepted answer is actually HMAC-SHA-256)
Append the MAC to the end of the file (or set it as a file attribute, or stick it in another file).
When reading, calculate the MAC on the file and verify that it's the one you saved. If it's appended to the file, you'll have to remove the last few bytes (e.g. [NSData dataWithContentsOfFile:path], then -subdataWithRange: twice to get the "message" and MAC, then verify the MAC, and parse the "message" if verification succeeds.
It won't stop someone with a jailbroken phone from extracting the MAC key from your binary, but not much will. It also won't stop someone from reading the plaintext settings file, but that might not be such a problem.
If you're generating the file on a computer you control (e.g. it's a file downloaded from a server), then sign it. Technically, RSA signature validation is equivalent to encryption, but I don't think it counts as encryption for export purposes (if it does, it's for "authentication" purposes and still doesn't count). DSA signature validation isn't encryption (I think, the math behind it went way over my head) and should also be fine.