I'm publishing my app to App Store and I have doubts regarding the "Missing Compliance" step.
Here's some info about the app:
I used Expo (Managed workflow). That means I don't have direct access to Xcode.
It's a simple 2D video game, free, with Expo ADMob. You can pay to remove Ads.
It requests a camera and library permission (to take a picture if the player wants). No Notifications, or any other extra thing.
It uses Firebase (Database, Storage, and Analytics) and Sentry. (for HTTPS connections)
I didn't manually include any "encryption" custom thing (that I'm aware of)
I'm publishing the App from Portugal, Europe. I plan to publish it worldwide, if possible.
Does your app use encryption? I didn't code anything related to it... but I assume I should say yes, right?
Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?. My app is a simple JS video game, with MobAds. Should I say yes or no?
Does your app implement any encryption algorithms that are proprietary or not accepted as standards by international standard bodies (IEEE, IETF, ITU, etc.)? I did say no... is it right?
Does your app implement any standard encryption algorithms instead of, or in addition to, using or accessing the encryption within Apple’s operating system? If I say no, it shows an extra message about HTTPS. My app does use HTTPS for Firebase (Database, Storage, and Analytics) and Sentry.
Finally, if I say yes, it says: Version 0.1.0 (1) cannot be tested at this time because the build does not have associated export compliance documentation. Where do I find this documentation and how can I get it? I'm from Portugal, Europe.
Thank you!
Question 1:
Reply YES as you use HTTPS encryption for connections
Question 2:
For what you said about your app the reply is NO. In brief you don't use any function inside your app that use a custom cryptography or it's strictly medical app. The encryption that you use it's only for data passing from app to server, nothing inside your app is encrypted (app or a part/module of app is not encrypted).
Question 3:
No you don't use a custom crypt algorithm. That is usually used for bank app data inside the app.
Question 4:
Say NO. The US rules give an exception for apps with only HTTPS calls (that is what you do). Read here for a full explanation:
https://developer.apple.com/forums/thread/98071
https://www.cocoanetics.com/2017/02/itunes-connect-encryption-info/
Just add this key to info.plist file:
<key>ITSAppUsesNonExemptEncryption</key>
<false/>
For expo users, automatically answer this question by adding this to your app.json/app.config.js:
{
"ios": {
"config": {
"usesNonExemptEncryption": false / true
}
}
}
Related
I have a problem when pushing my iOS App to the App Store. I know this is not a coding issue.
I got rejected because of guideline 2.1 that the App Store wants to test full features of my app. There are parts of features that they are unable to reproduce (e.g. OTP code, product code ,etc).
What does it mean by providing built-in demo regarding the 2.1 guidelines? How can I make it?
Added to 2.1: “If you are unable to provide a demo account due to
legal or security obligations, you may include a built-in demo mode in
lieu of a demo account with prior approval by Apple. Ensure the demo
mode exhibits your app’s full features and functionality.”
My apps never got rejected. You can use the form where you can put comments to the reviewer into how to create an OTP entry, for instance, like, use this seed, and provide the seed. Remember the QRcode are only a convenience to provide the seed. Try a seed like 123456 depending on the algorithm the length may vary. Just inform how they can view this feature working. It's very simple actually. I cannot see something that you cannot communicate previouslly to the reviewer... if was a network access, provide a temporary APIKEY or better, a demo account. You can always remove later.
Let say If I want to check if the facebook or any other application is currently running on device ?
The answer is simply "No", this is absolutely not possible in iOS.
(Note that you can easily "open" another app - it's just like opening a web link - but you can not "check if it is already open".)
Simply your answer is NO
The reason behind this, in case of iOS, every app is running like on own sandbox. So there is no connection between one sandbox to another.
Update 2:
Decided to use Code-Level Support.
Included with your paid membership are two Technical Support Incidents
(TSIs) for code-level support from Apple support engineers.
Reply from Apple:
Automatic Assessment Configuration limits what features of the system
are available while in a testing environment. It locks the device to a
single app. It does not provide oversight, such as identifying which
apps are running.
Classroom is an app targeting K-12 classrooms. It provides teacher
oversight of student activities during lessons, including viewing
student screens.
https://www.apple.com/education/k12/teaching-tools/
https://support.apple.com/guide/classroom/welcome/ipados
I'm not aware of any functionality associated with either of these
that provides for notification of apps running in the background.
While I cannot say how any given app is implementing apparent
functionality, I'm pretty confident in saying that the app you mention
earlier is not using either Automatic Assessment Configuration or
integrating with Classroom.
You may want to contact the developer of the app in question.
Of course, it's also possible your colleague misunderstood and the app
is not in fact doing any such reporting.
I would also encourage you to file feedback requesting such a feature.
Please submit your suggestion via Feedback Assistant
https://feedbackassistant.apple.com. For more information on
Feedback Assistant, please visit
https://developer.apple.com/bug-reporting/.
While you were initially charged a technical support incident for this
request, we have assigned a replacement incident back to your Apple
Developer Program account.
Perhaps my colleague mistook Android version of the app for iOS.
Update:
After reading some more about this it could be related to Automatic Assessment Configuration and AEAssessmentSession.
This allows an app to:
Enter single-app mode and prevent students from accessing specific
system features while taking an exam.
and
A session provides protections by preventing access to desktop
elements like:
...
Other apps, except those that you selectively allow
https://developer.apple.com/documentation/automaticassessmentconfiguration
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_automatic-assessment-configuration
https://developer.apple.com/documentation/automaticassessmentconfiguration/aeassessmentsession
Sample code here:
https://developer.apple.com/documentation/automaticassessmentconfiguration/build_an_educational_assessment_app
Original:
I agree with #AnkurLahiry and #Fattie that it should not be possible due to sandbox environment. According to Apple Developer Forums it is not possible either:
https://developer.apple.com/forums/thread/48374
However a colleague took his hunting degree and they used an app for examination. This app could detect other apps running in the background. For example one person had Teams app running and the examinators could then tell that he had that exact app running on his phone. Not just installed but running in the background.
https://apps.apple.com/se/app/teoriprov-f%C3%B6r-j%C3%A4garexamen/id1548547811
He took the test 2022-04-29 and was using the app version 1.0.8.
I'm not an iOS developer but I have done some experiments with disabling or bypassing SSL Pinning/Certificate Pinning on Android. In this case developers often used checks in the native layer as well as the Java layer to make it difficult to bypass. My guess is that they use low-level access to detect if a process is running or not.
https://security.stackexchange.com/questions/149325/disable-or-bypass-ssl-pinning-certificate-pinning-on-android-6-0-1
https://developer.apple.com/documentation/objectivec
Unfortunately I don't have more information than that. Next step could be contacting them and see if they are willing to share how they did it.
You could also read up on examination apps and classroom:
https://apps.apple.com/us/app/classroom/id1085319084
For Android you can check it like this:
https://stackoverflow.com/a/22503513/3850405
I want let users view the Weight section of Apple's Health app to allow them to see detailed data, etc. I manage to open the Health app via the URL scheme x-apple-health://, but I would like to send them directly to the right place, e.g. x-apple-health://HealthData/measurements/Weight. I have had no success after trying different paths that made some sense.
Anyone has a reference on this?
Apple has not documented the x-apple-health:// scheme for use by apps. Attempting to use it is like using SPI - even if you find something that works now, it is likely to break in a future version of iOS. You should file a Radar with Apple to request an API for this purpose.
I making a new app and want to submit to app store.
But at the time of final submission
there is check for Export Compliance.
What should I Check Yes Or No.
I use https url in my app.
Please Help Me .
Thanks In Advance.
When you know that you ARE export compliant you can put this in your Info.plist:
<key>ITSAppUsesNonExemptEncryption</key>
<false/>
This will prevent App Store Connect from asking you questions about export compliance.
If you are using https in your application, you will need to answer yes to this question, even if all you are using is built in mechanisms to communicate over https. The good news is that you no longer need to get the Encryption Registration Number (ERN) - the current requirements (as of August 2017) are that you just need to submit the annual self classification report to the BIS(Bureau of Industry and Security). To submit a self classification report, follow the instructions on item 13 in this FAQ: A sample Self Classification report can be found here.
For a great write up that talks about both sides of the story (apps that only use common / freely available encryption, like SSL, as well as apps that have their own, proprietary encryption, see this Medium post.
Please don't listen to other people who state that they just answer no to this question to make things easier when submitting an app.
As of February 2018 this is the process to file an Annual Self Classification Report to BIS (Bureau of Industry and Security):
https://www.bis.doc.gov/index.php/policy-guidance/product-guidance/high-performance-computers/223-new-encryption/1238-how-to-file-an-annual-self-classification-report
To get a ECCN (Export Control Classification Number) for a HTTPS mass market iOS app follow, these steps.
Download the quick reference guide to classify your app.
https://www.bis.doc.gov/index.php/documents/new-encryption/1652-cat-5-part-2-quick-reference-guide/file
For a basic HTTPS iOS app used to securely access a webpage or transfer a file use
5D992 which is Information Security” “software” not controlled by 5D002.
If your app contains more encryption functionality, then reference the policy guide. https://www.bis.doc.gov/index.php/policy-guidance/encryption
Might not be what you want to hear, but you will need to review the policy and correctly categorize the app and get the correct ECCN.
Now go to the SNAP-R form. https://snapr.bis.doc.gov/snapr/
To get to the form from the BIS homepage.
https://www.bis.doc.gov/index.php
Then select Licensing -> Simplified Network Application Process Redesign (SNAP-R)
Register Online for a SNAP-R account.
https://snapr.bis.doc.gov/registration/Register.do
The Bureau of Industy and Security will return a CIN application ID quickly via email.
Return to the main SNAP-R page with the CIN issued number and login.
Select "Create Work Item "
The Type will be "Commodity Classification Request"
Reference number is 7 digits. I used my phone number.
Create
Fill in Contact Information.
Leave License Information Blank
Fill in Company Designation any info missing. When you created the CIN this info was requested.
Other Party can be left blank.
Now for each app you want to register, fill in a Export Item and press Add Export Item. Multiple apps can be submitted on the same request.
ECCN will be 5D992
APP can be left blank. It is the Adjusted Peak Performance"("APP") which for a commodity iOS app is not required.
Product/Model is the name of the app in the App Store.
CCATS can be left blank.
Manufacturer is your company name.
Technical Description - briefly describe the apps function and how HTTPS is leverage. Keep it simple. They are interested if the app is a security risk and how encryption is used.
example:
AppName is distributed as an Apple iOS App. It uses HTTPS to download/upload daily updates to and from xxxx. The download is used to generate a table. An In-App .99 cent purchase expands the table results to include xxxx.
Additional information explains in more detail how HTTPS has been implemented.
The HTTPS file transfer is a URLSession data transfer task found in the Apple Foundation library. The iPhone automatically performs the download of the published data in csv file format, using the HTTPS protocol for a secure transfer.
Make sure you saved all your drafts. Check for errors. Then submit.
The turnaround is pretty fast. Mine took around an hour. But I am sure it varies.
The other option is once a year you can submit an Annual Self Classification Report. But if you have a SNAP-R CCATS number you are not required to submit a Annual Self Classification Report.
https://www.bis.doc.gov/index.php/policy-guidance/encryption/4-reports-and-reviews/a-annual-self-classification
This is very simple. Download the sample csv file. Delete out the sample data leaving the headings. The heading are required. Fill in the columns. The column Authorization Type is MMKT. Item type Other: HTTPS File Transfer. Save the file and submit.
The BIS SNAP-R hotline [202-482-4811 DC, 949-660-0144 CA] and the Encryption Hotline for the annual submission [202-482-0707] are both very helpful. Last point, the BIS has helpful set of YouTube video.
https://www.bis.doc.gov/index.php/online-training-room
Hope this helps.
From Complying with Encryption Export Regulations: Declare Your App’s Use of Encryption:
Typically, the use of encryption that’s built into the operating system—for example, when your app makes HTTPS connections using URLSession—is exempt from export documentation upload requirements, whereas the use of proprietary encryption is not. To determine whether your use of encryption is considered exempt, see Determine your export compliance requirements.
So Apple says that for usual HTTPS scenarios, you do not need to upload export documentation for your app.
I know there are quite a few threads on this, but it seems none of them would satisfy what I am trying to look for. Here's my constraints:
not a hack that uses private API/framework or undocumented
directory access that would run the risk of app being rejected
because of that
being able to share data across different
vendors / app developers
data can persist outside the lifecycle
of the app (even after app is deleted)
UPDATED: I was in general trying to stay away from using a 3rd party cloud-based service to achieve the goal as this would introduce additional external dependency. But if I have to, I was hoping it could satisfy this one constraint
being able to tell which iOS device it is communicating with. It shouldn't have to uniquely identify the device (which will go into that evil UDID discussion route as we all experienced ). But as long as it can differentiate among different iOS devices it should be fine.
I kind of need this too. I use Parse.com as the backend of all my apps — their free tier should satisfy your development needs.
Parse has APIs available for iOS, Android, Windows 8, OS X, JavaScript and .NET, with all your data available on the cloud on any platform (contrary to Core Data and iCloud). They also offer "Cloud Code," which is code you can execute remotely, to process information remotely and get the data back to your app.
You should definitely check Parse.com out for cloud storage for your app. In my experience, it really gets the job done.
For Data Persistence, I think you might want to take a look at FMDB (although if you decide to persist data locally, it will get deleted with your app, but it might help you, anyways). Core Data is an overkill in many cases.
Edit: Parse.com has an "Installation" class, in which all the devices that have your app installed get listed (wether they're running iOS or Android), uniquely, without you having to type any code.
Maybe this blog post by TextExpander authors will help:
Smile has responded to this by discussing the issue with Apple
engineers at WWDC, filing a bug (#14168862), and checking up on the
status of that bug. We also developed a workaround by storing the
TextExpander data in a new place. Reminders requires user consent to
store and retrieve data. Completed reminders are not normally shown in
its interface. Long-past reminders appear at the bottom of the
completed reminders.
TextExpander touch 2.1 (and later) supports storing shared snippet
data in a long-past, completed reminder. We produced an updated SDK
and kept our developers posted on its progress. Our final SDK was
ready within a few hours of the end of Apple's official iOS 7
announcement.
UPDATE (22.11.2013)
This might not be the best way to do that, because TextExpander's team recently had problems with the App Review Team.
Edit: this only works for apps with the same vendor.
You can save a password to the device's keychain, then access that password from any app.
Using the SSKeychain library...
NSString *service = #"com.yourcompany.yourservice";
// read
NSString *password = [SSKeychain passwordForService:service account:#"user"];
// write
[SSKeychain setPassword:password forService:service account:#"user"];
The password string doesn't have a length limit, so encode all your data as a string and save it there. The keychain entry will persist after the user deletes the app.
One of the ways to do this is using THRIFT. This is a data communication protocol that would need a back end server (private) and THRIFT can be compiled into many languages / platforms. There is a meta language to describe the data and then can be thrift compiled into many languages. Write the data definition once and can be used on many platforms.
More information at.
http://thrift.apache.org/
for me (I have 2 apps and a widged) the best solution is using SSKeyChain and do not forget to add Capabilities for your apps like here
or if you don't wanna to use 3rd party library you can use NSUserDefaults and set the group identifier like here but again do not forget to add the group identifier in Capabilities in AppGroups section for all your apps that have share data.