After deploying build for my iOS app on TestFlight, Apple was asking me to fill "Export Compliance Information" with the following question:
Does your app use encryption?
Select Yes even if your app only uses the
standard encryption within Apple’s operating system.
I've searched little bit for an answer here on StackOverflow but my case is little bit specific and haven't found clear answer for my case yet.
I am using https to connect to the server.
I am using Apple Keychain to store user credentials.
I am using encryption on backend to encrypt/decrypt secret file and send decrypted content in response when my app is making an https request (so for this case my app does not use encryption directly).
I assume the answer to the first question is Yes. Definitely because Apple Keychain itself uses encryption.
If I select yes I get to the next question:
Does your app qualify for any of the exemptions provided in Category 5,
Part 2 of the U.S. Export Administration Regulations?
Make sure that your app meets the criteria of the exemption listed below.
You are responsible for the proper classification of your product.
Incorrectly classifying your app may lead to you being in violation of
U.S. export laws and could make you subject to penalties,
including your app being removed from the App Store.
You can select Yes for this question if the encryption of your app is:
(a) Specially designed for medical end-use
(b) Limited to intellectual property and copyright protection
(c) Limited to authentication, digital signature, or the decryption of data or files
(d) Specially designed and limited for banking use or “money transactions”; or
(e) Limited to “fixed” data compression or coding techniques
You can also select Yes if your app meets the descriptions provided in Note 4 for Category 5, Part 2 of the U.S. Export Administration Regulations.
I assume I my app is c))
(c) Limited to authentication, digital signature, or the decryption of data or files
Therefore the answer to this would be also yes.
However I am not sure about this and would like to know your opinion, ideally with a short explanation.
Thanks.
PS: I am including useful links which helped me on how to submit a Self Classification Report:
https://kitefaster.com/2017/08/10/encryption-export-compliance-ios-apps
https://simonfairbairn.com/bis-year-end-self-classification-report
The rules regarding a TestFlight app is slightly different from a "real" AppStore release, but the procedure is pretty similar.
As you said, the first question asks “Does your app use encryption?"
Here you should select "Yes" even if your app only uses the standard encryption in iOS and macOS / XCode.
Basically:
Use of encryption in this case includes, but is not limited to:
Making calls over secure channels (i.e. HTTPS, SSL, and so on).
Using standard encryption algorithms.
Using crypto functionality from other sources such as iOS or macOS.
Using proprietary or non-standard encryption algorithms.
The U.S. Government defines "non-standard cryptography" as any implementation of "cryptography" involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body.
Does your app qualify for any of the exemptions provided in Category 5,
Part 2 of the U.S. Export Administration Regulations?
As you said, option C is most often adequate and the correct choice if you don't use any proprietary or non-standard algorithms.
By the way, here's a link to that "Note 4 for Category 5" that they mention.
When you submit a final version of your app to the actual App Store, you will be required to answer these questions again in App Store Connect.
Determine your Export Compliance Requirements, blah, blah...
Basically, you can say yes in the following scenarios:
Select "Yes" for this question if the encryption of your app is:
a. Specially designed for medical end-use
b. Limited to intellectual property and copyright protection
c. Limited to authentication, digital signature, or the decryption of data or files
d. Specially designed and limited for banking use or “money transactions”; or
e. Limited to “fixed” data compression or coding techniques
It's usually no problems from here on, as long as you pass the internal testing etc.
Just follow the prompts when exporting / distributing to App Store.
Remember to update your Xcode settings for your build.
By the way: Consult an attorney for legal guidance if in doubt! This is only my understanding of the process.
This is from Apple's article about Complying with Encryption Export Regulations
Typically, the use of encryption that’s built into the operating
system—for example, when your app makes HTTPS connections using
URLSession—is exempt from export documentation upload requirements,
whereas the use of proprietary encryption is not. To determine whether
your use of encryption is considered exempt, see Determine your export
compliance requirements.
The big thing from this quote I noticed is the term "proprietary" and the fact that HTTPS is now exempt from regulation. I believe that this also means that keychain should also not be included in this, because it is public encryption to my knowledge.
But I am very uneasy to say that the encryption you use in the app's backend is safe from the regulation givin that it could be considered as proprietary and could be considered an extension of your app, not a separate entity. Historically Apple is very willing to take down apps that they don't believe to follow their guidelines. Here is a great stack overflow question and a Reddit link you should read through to be safe the stack overflow answer seems to be very thorough. Stack Overflow and Reddit.
Sorry I couldn't help you with the third point about your backend's encryption. I hope you can find some answers that I didn't see in the links I provided though.
Related
Regarding the apple's Self-classification report, My client has registered the company in the USA, but we are using "Https" in the application.
Do I need to submit the self-classification report?
Thanks
Yes, you must submit a self classification report to the US Government except your app qualifies for one or more exemptions provided under category 5 part 2, of the BIS Export Administration Regulation, including but not limited to apps that are:
Specially designed for medical end-use
Limited to intellectual
property and copyright protection
Limited to authentication, digital
signature, or the decryption of data or files
Specially designed and
limited for banking use or "money transactions"; or Limited to
"fixed" data compression or coding techniques
Source
My app uses encryption indirectly as I'm using an encrypted Realm database (and Realm implement the encryption).
I don't therefore know if Realm
"... only uses encryption algorithms provided in iOS for its security
features ..."
Realm uses the crypto library and so its reasonable to assume it does use algorithms provided in iOS, but the point is I don't know for a fact if it does or doesn't or if it uses key lengths exceeding 512 bits etc. etc. etc.
So I can answer Apple's question:
".. does your app contain or incorporate cryptography"
as YES as it must do if I'm using a Realm encrypted db.
But I can't answer questions such as
"..Use of encryption is limited to encryption within the operating
system"
As I have no idea what Realm is doing with respect to its encryption.
If you have released an app using Realm encryption, what did you do regarding these points when releasing the app, and why?
(A couple of people who are possibly Realm developers have commented on forums that Realm only uses the crypto library and hence only algorithms provided within the OS, but there is no official statement of this on the Realm website. And it can be seen the the Realm code imports Crypto library hence it is very very reasonable to assume this is the fact. But to re-iterate - as an app developer I myself do not categorically know this for a verifiable fact or can refer to an official statement stating this issued by Realm. They have a Legal Considerations section here https://academy.realm.io/posts/tim-oliver-realm-cocoa-tutorial-on-encryption-with-realm/ and they state:
If you are unsure as to whether your app falls within the export
compliance exemptions, please contact an attorney
But they don't actually provide sufficient information regarding details of Realm to actually be able to do this.)
I my application I use sha256 encryption (actually it's a hash function, so you can't decrypt it). For each request to server I need to make such a string "param1|param2|param3" and encrypt it with sha256 (I will get encryptedString) and I need to add the 4th parameter "hash" = encryptedString. It's the only use of the encryption in the application
sha256 function is:
import Security
func encryption_sha256(_ originString: String) -> String {
let data = originString.data(using: String.Encoding.utf8)!
var hash = [UInt8](repeating: 0, count: Int(CC_SHA256_DIGEST_LENGTH))
CC_SHA256((data as NSData).bytes, CC_LONG(data.count), &hash)
let hexBytes = hash.map { String(format: "%02hhx", $0) }
let resultString = hexBytes.joined(separator: "")
return resultString
}
When I submit to App Store I have such questions:
1) Is your app designed to use cryptography or does it contain or incorporate cryptography? (Select Yes even if your app is only utilizing the encryption available in iOS or macOS.)*
As far as I understand, my Answer is YES . Or can I answer NO, because sha256 is not encryption, it's just hash and you can't decrypt it?
2) Does your app meet any of the following:
(a) Qualifies for one or more exemptions provided under category 5 part 2
(b) Use of encryption is limited to encryption within the operating system (iOS or macOS)
(c) Only makes call(s) over HTTPS
(d) App is made available only in the U.S. and/or Canada
Make sure that your app meets the criteria of the exemption listed here. You are responsible for the proper classification of your product. Incorrectly classifying your app may lead to you being in violation of U.S. export laws and could make you subject to penalties, including your app being removed from the App Store. Read the FAQ thoroughly before answering the questions.
You can select Yes for question #2 if the encryption of your app is:
(a) Limited to using the encryption within the operating system (iOS or macOS)
(b) Limited to making calls over HTTPS
(c) Specially designed for medical end-use
(d) Limited to intellectual property and copyright protection
(e) Limited to authentication, digital signature, or the decryption of data or files
(f) Specially designed and limited for banking use or "money transactions"; or
(g) Limited to "fixed" data compression or coding techniques
You can also select Yes if your app meets the descriptions provided in Note 4 for Category 5, Part 2 of the U.S. Export Administration Regulations.
I here I answer Yes, everything is easy, I just need to insert <key>ITSAppUsesNonExemptEncryption</key><false/> in the info.plist file.
Can I answer YES to this question?
if NO, I get the 3d question:
3) Does your app implement any encryption algorithms that are proprietary or yet-to-be-accepted as standards by international standard bodies (IEEE, IETF, ITU, etc.)?
As far as I understand, answer is NO
4) Does your app implement any standard encryption algorithms instead of, or in addition to, using or accessing the encryption in Apple’s iOS or macOS?
As far as I understand, answer is YES
And in this case I need:
Please upload a short letter stating that you understand your legal obligations to submit a year-end self classification report required by the Bureau of Industry and Security (BIS).
Where do I need to submit this year-end self classification report required by the Bureau of Industry and Security ? Or may be can I answer YES to the 2nd question?
The key is "Select Yes even if your app is only utilizing the encryption available in iOS or macOS."
Since SHA256 is not encryption, answer no to question 1.
Cryptographic hash functions are not encryption since the are one-way functions, encryption is a reversible two-way function.
I'm new to iOS development and working on a small iOS mobile app that stores sensitive information of users. Initially I thought of using custom AES encryption to encrypt/decrypt all the data. I also want the encrypted data to be synced with iCloud. After reading more I came to know from iPhone 3GS each device has a built-in AES-256 crypto engine. From the XCode, I observed that I can turn on an option called "Data Protection" for the mobile app to secure data. Based on my analysis I've below questions:
To use data protection for iPhone 3GS (uses iOS 6.1) do I need to set passcode?
Without setting passcode for the device how can I use the built-in crypto engine to encrypt my data?
The information are very sensitive and so in this case do I need to implement custom encryption?
RNCryptor is very useful, but it's basically just a wrapper for Apple's own CommonCrypto functionality (that makes implementing it pretty easy). It's useful if you want to encrypt data on the device that even the user cannot get ahold of.
Regarding your specific questions:
Data protection encrypts your app data using Apple's device-level encryption (you do not password protect it yourself). This has its uses - it will keep a 3rd party from being able to access data on a device if they are unable to unlock it - but does not prevent (for example) a user from getting access to data on their an unlocked device. Using RNCryptor and CommonCrypto which it is built upon you can AES256 encrypt content using a password of your choosing.
Apple details this here. Basically, from the end user's perspective they just set a password for their device as normal. You do not use a password of your own choosing.
You can set this up for your app using the following instructions:
https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/AddingCapabilities/AddingCapabilities.html#//apple_ref/doc/uid/TP40012582-CH26-SW30
This depends on how sensitive the data is and what threats you foresee (Who are you trying to keep it away from? Are there any laws/regulations you intend to comply with? How much work do you want to take upon yourself to protect this data?). There are a lot of trade-offs and caveats that can apply in certain situations.
If you have a small amount of data, you might consider just storing it in the iOS keychain. Otherwise, I'd recommend giving RNCryptor a try. It's fairly easy to integrate.
I hope this helps.
UPDATE: Another thing to consider... There are potential export control ramifications that might come up if you implement your own encryption, even using RNCryptor/CommonCrypto. Depending on how much paperwork and/or delay you're willing to deal with, this may influence your decision. You can learn more about this from Apple's site, here:
https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/wo/20.0.0.13.7.2.7.9.3.1.2.3.3.1.5.7.1
This really depends on how many scenarios you are trying to protect against. Pretty much any scenario you can possibly create will be broken given enough time and effort. However to address a few points:
1) Yes you need to set a passcode for this feature to become active.
2) You can make use of the CommonCrypto library (or a wrapper around it like RNCryptor)
3) This is a bad idea for the simple reason that developing a secure algorithm is insanely hard. The slightest flaw will leak out all of the data and people have devoted years of their lives to sniffing out these flaws (although I may have misunderstood what you meant by "custom encryption")
If you want to be as secure as possible you will have to do this: Send your file to a server for processing (via HTTPS). It is much harder to hack into a server then it is to hack into an iOS application. If you simply use RNCryptor it is pretty trivial to rip apart the app looking for the password, or how you obtain the password. Basically if the app can do it then BlackHat can do it too.
EDIT I forgot about one thing! If you generate a random password for each install and store it in the keychain then this will help, but it is not foolproof (There is a small chance that the iOS keychain contents can be retrieved from a jailbroken device, especially if the user has a week passcode). However this will make the user's data non-recoverable if they wipe the OS for any reason.
very very very simple : https://github.com/RNCryptor/RNCryptor
I was used it for a chat application it so good.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 7 years ago.
Improve this question
When submitting an app to the iOS App Store, one is required to declare whether the app "contains encryption" (and, as I understand, go through additional administrative hurdles).
Does anyone know of any guidance on what precisely is covered by the term "encryption" in this context?
Are they referring to:
specifically cryptographically secure encryption schemes (AES, RSA etc);
OR, any scheme or method that might in everyday parlance be referred to as 'encryption', or a variant of a standard scheme that is cryptographically weak?
Specifically, I was intending to use some weak scheme to protect some of the app's assets against a casual hacker, e.g. by XORing the data from the file with a string of bytes generated from a (non-cryptographic) random number generator. If you like, it would be a "one time pad", but where the key isn't actually cryptographically random: just random enough so that somebody looking to steal the data would need to go to a small amount of effort beyond 'just copying the data out of the file'.
So, for the purposes of the declaration, would this count as using "encryption" even though it's not actually a cryptographically secure form of encryption? What I'm doing is common enough practice that I'm guessing other developers have submitted apps using such a procedure: did you have to declare the app as using encryption?
(The iTunes Connect Guide, for example, doesn't give any further specification on this matter.)
This flow chart will probably help you get on the right track. It indicates that if the encryption is limited to copyright protection / intellectual property then it is exempt from the review. I got to this flow chart from the BIS homepage. That page is referenced by the FAQ entitled World Wide Trade Compliance for the App Store in iTunes connect which states you can claim exemption:
(i) if you determine that your app is not classified under Category 5, Part 2 of the EAR based on the guidance provided by BIS
Hope this helps clear things up a bit.
EDIT Another interesting section is this, you can claim exemption if:
(iii) your app uses, accesses, implements or incorporates encryption with key lengths not exceeding 56 bits symmetric, 512 bits asymmetric and/or 112 bit elliptic curve