I am about to submit a new Sales app to the Apple App Store.
The users need to send their sales data to their head office daily.
To do this the app zips the sales data and attaches the zipped file to an email. This zipped file is encrypted for security, and will only be used by the head office.
Would my app be regarded by Apple as containing encryption when I submit it to the App Store ?
The Apple Developer Program License Agreement states that, when distributing your app,
You certify that (i) none of the Licensed Applications contains, uses
or supports any data encryption or cryptographic functions; or (ii) in
the event that any Licensed Application contains, uses or supports any
such data encryption or cryptographic functionality, You certify that
You have complied with the United States Export Administration
Regulations, and are in possession of, and will, upon request, provide
Apple with a PDF copy of Your Encryption Registration Number (ERN), or
export classification ruling (CCATS) issued by the United States
Commerce Department, Bureau of Industry and Security and PDF copies of
appropriate authorizations from other countries that mandate import
authorizations for that Licensed Application, as required.
So in order to comply with Apple's guidelines you must select that your app does utilize encryption on iTunes Connect if you are encrypting something inside of your app.
Related
This might not be a direct code question, but it's one that comes up frequently on SO and I find very useful to read.
App Store - Help answering “Missing Compliance” (using Expo + Firebase)
Does my application “contain encryption”?
ITSAppUsesNonExemptEncryption export compliance while internal testing?
I don't live in the US and therefore don't navigate freely in their law system or stays up to date with changes. But using american products and platforms like the Apple App Store means that I have to comply with the national rules and policies.
There is this one thing about encryption compliance whenever I submit to the app store. It always ask me if I'm using encryption. The answer is yes - since fetching like OTA updates are https. The SO questions are often so yes to the first and no to the rest if https is the only encryption used.
BUT what if you are using encryption to authenticate a user. Then it seems like it has to be yes to encryption and yes to this question:
Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?.
Here is what I don't get. If this is the case for US compliant mobile apps - do I need to report to US authorities if I deploy a web site that do the exact same type of authentication logic
There is a lot of great material on how to build a good authentication system - but have never come across a mention of
"BTW ☝️ don't forget to report to the US authorities that you authenticate your users with encryption"
First IANAL, so take this a professional experience, not legal advice. There is no requirement to notify any specific US authority that you use encryption in your auth process. I suspect that these questions are asked because of the ITAR Regulations that deem certain kinds of encryption to be "arms" and therefor not legally exportable from the US (Discussion of ITAR and Crypto here) given you are already in (presumably legal) possession of whatever encryption scheme you are using, these rules do not apply to you. There may be more specific regulations if you have an affiliation with the military or intelligence agencies of the US or any other country.
When submitting an app that contains cryptography, I know there's a checkbox you must check, as well as subsequent questionnaire you must answer. And if the app contains cryptography you need to go through complex Exporter Registration and Reporting process.
There are three specific cases I'm curious about:
1. Cryptocurrency wallets
One of the "exemption" clause says:
(ii) your app uses, accesses, implements or incorporates encryption for authentication only
Does this exempt the app from having to go through all the complicated government approval process? Most cryptocurrency wallets only use cryptography for signatures and authentication, but I'm not sure how this applies to this case.
Simply put, do all Bitcoin wallet app developers have to get government approval before submitting the app?
2. End-to-End encrypted messaging apps
How about end-to-end encrypted chat apps? Do I have to go through the approval process?
I'm talking apps like Signal and whatsapp.
3. Does WKWebView + Webcrypto count?
What if I'm using WKWebView which contains access to webcrypto API https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API inside the app, does this count as "contain encryption"?
From Apple FAQ:
Use of encryption includes, but is not limited to:
Making calls over secure channels (i.e. HTTPS, SSL, and so on)
Using standard encryption algorithms
Using crypto functionality from other sources such as iOS or macOS
Using proprietary or non-standard encryption algorithms
You didn't specify source of your "exemption", but I guess it is not from Apple guidelines.
I would say that your cases are using encryption or crypto so are in scope of this guidelines.
I found some more informations here - maybe will help you.
On my iTunnes Connect I have 4 applications that I developed for my clients(Financial apps for trading) and when I tried to upload it, but I've been rejected by Apple(before 2018 year it wasn't a problem):
Guideline 3.2.1 - Business - Other Business Model Issues - Acceptable.
The seller and company names associated with your app do not reflect the financial institute name “XXXX Bank Ltd.” in the app or its metadata, as required by Guideline 3.2.1(viii) of the App Store Review Guidelines.
Specifically, your app must be submitted by XXXX Bank Ltd. Developer account to be in compliance with this guideline.
Next Steps
Your app must be published under a seller name and company name that reflects the Discount Bank Ltd. name. If you have developed this app on behalf of a client, please advise your client to add you to the development team of their Apple Developer account.
As I understand the problem that I am developing third party apps for my clients and this is not acceptable by apple. Do I need to create 4 apple id users and certificates for each client and then to upload it.
Thanks in advance
Technically, each of your clients banks is supposed to create its own Apple developer account and submit its app itself. See §4.2.6 of the App Store Review Guidelines:
4.2.6 Apps created from a commercialized template or app generation service will be rejected unless they are submitted directly by the provider of the app’s content. These services should not submit apps on behalf of their clients and should offer tools that let their clients create customized, innovative apps that provide unique customer experiences. Another acceptable option for template providers is to create a single binary to host all client content in an aggregated or “picker” model, for example as a restaurant finder app with separate customized entries or pages for each client restaurant, or as an event app with separate entries for each client event.
If the bank hires you to manage its developer account and submission process, that is probably sufficiently direct to comply with the guideline, especially if you are careful to use contact information that belongs to the bank (like the bank's mailing address and an email address that uses the bank's domain name).
Like #Vitali said - You need to create a new account for the client and upload application under this name otherwise Apple won't approve it.
But if you already have this account, you have to check at the bottom of the page this option. After you have to put your business's ID. Check the IMG please. More information here... https://support.apple.com/en-gb/HT204401 I hope this helps you.
PD: Sorry for my english.
I am using https://github.com/ideawu/Objective-C-RSA this library to encrypt some data using a public key.
Current live app is already using https for all calls. I am confused as to how will my answers on export compliance change on version update?
Also, do I need to add export compliance documentation on itunes connect?
Additional details:
I am using only encryption from the library.
Then the encrypted string is sent to server. The backend server is responsible for decryption using private key.
The encryption is NOT for authentication purpose. It is used send sensitive data to server
Turns out my use case was falling under the money transactions category. As per the export guidelines, this category is allowed to use cryptographic algos.
All I had to do is mark "Yes" to the below questions during submission.
As per FAQ on iTunes Connect:
Does your product qualify for any exemptions provided under category 5 part 2?
(v) your app is specially designed and limited for banking use or ‘money transactions.’ The term ‘money transactions’ includes the collection and settlement of fares or credit functions.
I am using basic ssl for my app that i am planning to submit at the iOS app store. From all the research it seems that i need to get an ERN from BIS for export compliance.
While registering the same i see company name / CIN being asked as a part of the process. I am uploading the app from a country outside US. So I am totally confused now - do i need to register my company in my country first and then apply for a CIN inorder to go ahead with ERN registration procedure? Or Can i obtain ERN as an individual? Thanks for any help.
I see this at Simplified Network Application Process
SNAP-R Access
SNAP-R allows users to submit export license applications, commodity
classification requests, encryption registration, reexport license
applications, and license exception AGR notifications via the
Internet. You must have a Company Identification Number (CIN) and an
active user account to access SNAP-R.
P.S. I am not sure if this is the right forum for this question. If not any guidance to alternate forum will be much appreciated. Thanks again!