I am uploading a build of my app, and apple is asking if it uses encryption. I'm not sure if AdMob or Firebase counted as encryption and if I needed to follow the ERN process. Thank you.
I am not a lawyer, and this is not legal advice.
Based on this article, it sounds like you should.
All communications with Google and Firebase through Google-provided SDKs use the SSL libraries provided by Apple to communicate with their respective services. If you're making requests to AdMob and retrieving ad images, your communicating over an encrypted channel.
I reviewed google privacy policy and it said: "We use encryption to keep your data private when it is moved"
https://policies.google.com/privacy#infosecurity
Firebase:
Data encryption
For the collected end-user data listed on this page, Firebase encrypts the data in transit using HTTPS.
https://firebase.google.com/docs/android/play-data-disclosure
AdMob:
All of the user data collected by Google Mobile Ads SDK is encrypted in transit using the Transport Layer Security (TLS) protocol.
https://developers.google.com/admob/android/play-data-disclosure
Related
When submitting an app that contains cryptography, I know there's a checkbox you must check, as well as subsequent questionnaire you must answer. And if the app contains cryptography you need to go through complex Exporter Registration and Reporting process.
There are three specific cases I'm curious about:
1. Cryptocurrency wallets
One of the "exemption" clause says:
(ii) your app uses, accesses, implements or incorporates encryption for authentication only
Does this exempt the app from having to go through all the complicated government approval process? Most cryptocurrency wallets only use cryptography for signatures and authentication, but I'm not sure how this applies to this case.
Simply put, do all Bitcoin wallet app developers have to get government approval before submitting the app?
2. End-to-End encrypted messaging apps
How about end-to-end encrypted chat apps? Do I have to go through the approval process?
I'm talking apps like Signal and whatsapp.
3. Does WKWebView + Webcrypto count?
What if I'm using WKWebView which contains access to webcrypto API https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API inside the app, does this count as "contain encryption"?
From Apple FAQ:
Use of encryption includes, but is not limited to:
Making calls over secure channels (i.e. HTTPS, SSL, and so on)
Using standard encryption algorithms
Using crypto functionality from other sources such as iOS or macOS
Using proprietary or non-standard encryption algorithms
You didn't specify source of your "exemption", but I guess it is not from Apple guidelines.
I would say that your cases are using encryption or crypto so are in scope of this guidelines.
I found some more informations here - maybe will help you.
Basically, I'm using Firebase authentication SDK in my iOS app to provide secure login to users and trying to upload the app to TestFlight. Upon upload, I'm seeing this question below that asks if the app uses cryptography but then there are exceptions where some cryptography algorithms are exempted? Please advise on how to answer in regards to using Firebase Auth SDK.
Thank you!
"Is your product designed to use cryptography or does it contain or incorporate cryptography?
Please answer “YES” to the question even if your app uses or accesses encryption from another source, e.g., iOS or Mac OS X.
If your application does not use, access, implement or incorporate encryption, you can answer “NO” to this question and you can continue with the process of uploading your binary.
If your application does use, access, implement or incorporate encryption, it may be necessary to submit confirmation of approval by the United States Government and an approval from French authorities if your app is going to be distributed in France."
The Firebase Auth SDK does not currently make use of cryptography on the client. The SDK is now open source on github, please feel free to take a look at the source code.
https://github.com/firebase/firebase-ios-sdk
In my IOS application i am using google analytics, is it necessary to tell the app users that we using google analytics.
Is it necessary to show the google analytics primary policy in App.
Please help me.
From the App Store Review Guidelines
3.12 Apps should have all included URLs fully functional when you submit it for review, such as support and privacy policy URLs
In section 3.12: It specify that when you submit your application than you must have to include privacy policy URL. That does not mean that you need to show a separate page in application to show privacy policies.
Personally as a mobile user I have never seen privacy policy page of any analytics in application so far.
Also from Google Analytics Protocol SDK Policy you have to take care of following points.
Measurement Protocol / SDK / User ID Policy
All applications using the Measurement Protocol / SDKs / User ID must adhere to the following policies:
You must make sure you have the full rights to use this service, to upload data, and to use it with your Google Analytics account.
You will give your end users proper notice about the implementations and features of Google Analytics you use (e.g. notice about what data you will collect via Google Analytics, and whether this data can be connected to other data you have about the end user). You will either get consent from your end users, or provide them with the opportunity to opt-out from the implementations and features you use.
If you use an SDK to implement any Google Analytics Advertising Features, such as Audience Reporting or Remarketing, you will abide by the Policy for Google Analytics Advertising Features, in addition to the Google Play Developer Program Policies, or any other applicable policy.
You will not upload any data that allows Google to personally identify an individual (such as certain names, Social Security Numbers, email addresses, or any similar data), or data that permanently identifies a particular device (such as a unique device identifier if such an identifier cannot be reset), even in hashed form.
If you upload any data that allows Google to personally identify an individual, your Google Analytics account can be terminated, and you may lose your Google Analytics data.
Does the SDK for Google Analytics uses SSL, and thus would need an encryption approval letter for use in an iPhone app?
In case their is any confusion, Apple does require an export compliance letter for SSL
It appears to be a NO. How did I arrive at this conclusion? first I found that for Google Analytics to use SSL, it has to send all data to the https: version of google's server. See: https://www.sslshopper.com/article-enable-ssl-for-google-analytics.html . Then I found a blog post where someone monitored google analytics' connection(s) through iOS, and it wasn't using https:.
See: Monitor Google Analytics requests on an iPhone Application and http://jordan.broughs.net/archives/2012/07/monitoring-google-analytics-for-ios.
I'd like to make use of the Google Geocoding Json api (http://maps.google.com/maps/api/geocode/json?address=%#&sensor=false) in my iOS app, but I don´t find if the use of this URL has any restrictions and/or this may be rejected when submitted to App Store.
Thanks in advance
There are some restrictions, read the documentation in particular the Usage Limits and Maps API Terms of Service License Restrictions.
This would not be a problem for the app store. Apple does not restrict what geocode service you can use.
First thing I noticed is you are using Non-secure URL to access google geocode API, which will give no data from Google side.
Second thing, Apple has rollout some guideline during WWDC 2016 to use always secure URL if you want to access it withing from APP please check out the link so there are chances about maybe they found you are using non-secure link to communicate with web service, and your application will be rejected from Apple.
We are using Google GeoCode and reverse Geocode API within Unity using C# HTTPWebRequest class with the Secure link. our app pass out through Apple Review