Basically, I'm using Firebase authentication SDK in my iOS app to provide secure login to users and trying to upload the app to TestFlight. Upon upload, I'm seeing this question below that asks if the app uses cryptography but then there are exceptions where some cryptography algorithms are exempted? Please advise on how to answer in regards to using Firebase Auth SDK.
Thank you!
"Is your product designed to use cryptography or does it contain or incorporate cryptography?
Please answer “YES” to the question even if your app uses or accesses encryption from another source, e.g., iOS or Mac OS X.
If your application does not use, access, implement or incorporate encryption, you can answer “NO” to this question and you can continue with the process of uploading your binary.
If your application does use, access, implement or incorporate encryption, it may be necessary to submit confirmation of approval by the United States Government and an approval from French authorities if your app is going to be distributed in France."
The Firebase Auth SDK does not currently make use of cryptography on the client. The SDK is now open source on github, please feel free to take a look at the source code.
https://github.com/firebase/firebase-ios-sdk
Related
I have application on App store. I want to add support for Citrix MDM solution, which will allow end user to install application as in-office app.
Want to know what are the steps I need to perform in application?
I have gone through the details on citrix and got following information in bits and pieces and have some question on top of information
Need to use the MAM SDK in iOS app. From where I should Download the SDK? Is it freely available for POC purpose?
If I integrate the SDK what are the changes I need to do in application? any sample application available?
Need to wrap the iOS application . Is it required if I use MAM SDK?
My application communicate with my server and has user authentication. Do I need to change anything on my server?
Is dummy/temporary server setup of Citrix is available to test my application?
Let me tackle each question.
You'll want to download the MAM SDK from the citrix.com web site. To do so though you'll need to first create a user account. It is free to download.
The changes to your iOS app are fairly straightforward. I won't repeat them here, but in the MAM SDK download you'll find step-by-step instructions on what you need to do. There is a sample app with source code provided.
You no longer need to MDX Wrap your iOS application. That's the older way of getting your apps managed by Citrix Endpoint Management. The new MAM SDK approach replaces that mechanism.
There are no changes needed to your authentication.
There's no dummy server available, but you can request a trial site. Create an account at Citrix Cloud and request a trial of Endpoint Management.
Source: I'm an engineer for the Citrix Endpoint Management product.
This might not be a direct code question, but it's one that comes up frequently on SO and I find very useful to read.
App Store - Help answering “Missing Compliance” (using Expo + Firebase)
Does my application “contain encryption”?
ITSAppUsesNonExemptEncryption export compliance while internal testing?
I don't live in the US and therefore don't navigate freely in their law system or stays up to date with changes. But using american products and platforms like the Apple App Store means that I have to comply with the national rules and policies.
There is this one thing about encryption compliance whenever I submit to the app store. It always ask me if I'm using encryption. The answer is yes - since fetching like OTA updates are https. The SO questions are often so yes to the first and no to the rest if https is the only encryption used.
BUT what if you are using encryption to authenticate a user. Then it seems like it has to be yes to encryption and yes to this question:
Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?.
Here is what I don't get. If this is the case for US compliant mobile apps - do I need to report to US authorities if I deploy a web site that do the exact same type of authentication logic
There is a lot of great material on how to build a good authentication system - but have never come across a mention of
"BTW ☝️ don't forget to report to the US authorities that you authenticate your users with encryption"
First IANAL, so take this a professional experience, not legal advice. There is no requirement to notify any specific US authority that you use encryption in your auth process. I suspect that these questions are asked because of the ITAR Regulations that deem certain kinds of encryption to be "arms" and therefor not legally exportable from the US (Discussion of ITAR and Crypto here) given you are already in (presumably legal) possession of whatever encryption scheme you are using, these rules do not apply to you. There may be more specific regulations if you have an affiliation with the military or intelligence agencies of the US or any other country.
When submitting an app that contains cryptography, I know there's a checkbox you must check, as well as subsequent questionnaire you must answer. And if the app contains cryptography you need to go through complex Exporter Registration and Reporting process.
There are three specific cases I'm curious about:
1. Cryptocurrency wallets
One of the "exemption" clause says:
(ii) your app uses, accesses, implements or incorporates encryption for authentication only
Does this exempt the app from having to go through all the complicated government approval process? Most cryptocurrency wallets only use cryptography for signatures and authentication, but I'm not sure how this applies to this case.
Simply put, do all Bitcoin wallet app developers have to get government approval before submitting the app?
2. End-to-End encrypted messaging apps
How about end-to-end encrypted chat apps? Do I have to go through the approval process?
I'm talking apps like Signal and whatsapp.
3. Does WKWebView + Webcrypto count?
What if I'm using WKWebView which contains access to webcrypto API https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API inside the app, does this count as "contain encryption"?
From Apple FAQ:
Use of encryption includes, but is not limited to:
Making calls over secure channels (i.e. HTTPS, SSL, and so on)
Using standard encryption algorithms
Using crypto functionality from other sources such as iOS or macOS
Using proprietary or non-standard encryption algorithms
You didn't specify source of your "exemption", but I guess it is not from Apple guidelines.
I would say that your cases are using encryption or crypto so are in scope of this guidelines.
I found some more informations here - maybe will help you.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
I'm building a new iOS app that needs the concept of who the user is logged in as. It seems my options are:
Build my own login system, make them enter email, generate password.
Use Facebook or Twitter accounts (or linkedin, google, etc.)
Use Apple ID?
Number 3 seems like a nice apple way but is that even supported? I'm logged in to my iPhone already in settings with my Apple ID. Could I use that?
My question is, it's 2017, what's the latest and greatest way to do this. I have a green field iOS app and can pick any authentication system I want. What say you SO community? Thanks!
Authenticating on iOS
When building a login system for iOS it's important to remember that Apple demands that you support multiple login options for you app. You can't e.g. use only Facebook for login or only Google login. A time ago I got this reply from Apple:
In order for Facebook to be the only authentication mechanism available, your app must include significant account-specific functionality from Facebook. Pulling profile information, or sharing, are not sufficient account-based features for Facebook to be the only authentication mechanism available.
So the option will need to use e.g. custom login + social medium login or several social medium login.
I have seen that a custom login/username+password and the use of social medium authentication is the most used practice. It offers users often one click authentication and authorization. By using social medium, you can get users profile information without asking the users about their information.
Authentication mechanisms:
Facebook
Twitter/Fabric
Google
email/password(custom)
Framework:
Firebase
Facebook
Twitter/Fabric
Google
Parse(Discontinued)
Custom
What do I do?
For a small team/single developer it's easy and fast to develop using Firebase as a authentication service. There's no need for another programming language that what you write your apps in; swift/objective-c.
Firebase
Firebase is a mobile platform that helps you quickly develop high-quality apps, grow your user base, and earn more money. Firebase is made up of complementary features that you can mix-and-match to fit your needs
Firebase is a really great tool for building a login system for your app. It does all the backend services for you and supports login systems for Facebook, Google, Twitter, Github and email/password authentication.
But should you use an authentication mechanism in your app?
If your app doesn’t include significant account-based features, let people use it without a log-in. Apps may not require users to enter personal information to function, except when directly relevant to the core functionality of the app or required by law. If your core app functionality is not related to a specific social network (e.g. Facebook, WeChat, Weibo, Twitter, etc.), you must provide access without a login or via another mechanism. Pulling basic profile information, sharing to the social network, or inviting friends to use the app are not considered core app functionality.
Ref.:
Number 3 seems like a nice apple way but is that even supported? I'm logged in to my iPhone already in settings with my Apple ID. Could I use that?
Could be a good approach, but Apple have no API/Documentation on that. There is a unique identifier available on iOS devices, though it is not guaranteed that the UUID(Unique identifier) will be the same after rebooting and software reinstalls. (Can't find the source at the moment, can someone verify this?)
Apple do have a framework for using the touchID provided on iOS8+ to authorize users login into you app using the keychain. But this does not provide a authentication framework for you app.
There are third party libraries that provide support for decrypting Apple Pay token on the server side. Is there any such .NET library?
Third-paty Libraries
Ruby library for decrypting Apple Pay payment tokens
PHP library for decrypting Apple Pay payment tokens
What we're trying to accomplish
We're using Compass XML platform for payment processing, and the goad is to decrypt the payment token on our server and then use the Compass XML for final payment processing.
I just pushed my works into github, it uses Bouncy Castle C# library to decrypt token on the server side, and works both for Android Pay and Apple Pay, please check it out.
https://github.com/chengbo/ApplePayAndroidPayDecryption
NOTE: The token verification for Apple Pay not implement yet.
I don't know of any .net libraries specifically, but there's a number of implementations available on GitHub that you could take a look at - here's another PHP one, for example: https://github.com/etsy/applepay-php
Payment decryption is fairly straightforward if you're familiar with crypto, and is achievable using something like OpenSSL. There's some documentation on the exact process here:
https://developer.apple.com/library/ios/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html
I got it working in C# by creating a fork of a project and cleaning it up.
Here is the Github location:
https://github.com/fscopel/CSharpApplePayDecrypter