Does RSA encryption affect export compliance? - ios

I am using https://github.com/ideawu/Objective-C-RSA this library to encrypt some data using a public key.
Current live app is already using https for all calls. I am confused as to how will my answers on export compliance change on version update?
Also, do I need to add export compliance documentation on itunes connect?
Additional details:
I am using only encryption from the library.
Then the encrypted string is sent to server. The backend server is responsible for decryption using private key.
The encryption is NOT for authentication purpose. It is used send sensitive data to server

Turns out my use case was falling under the money transactions category. As per the export guidelines, this category is allowed to use cryptographic algos.
All I had to do is mark "Yes" to the below questions during submission.
As per FAQ on iTunes Connect:
Does your product qualify for any exemptions provided under category 5 part 2?
(v) your app is specially designed and limited for banking use or ‘money transactions.’ The term ‘money transactions’ includes the collection and settlement of fares or credit functions.

Related

(Always) report to US authorities when using encryption to authenticate users?

This might not be a direct code question, but it's one that comes up frequently on SO and I find very useful to read.
App Store - Help answering “Missing Compliance” (using Expo + Firebase)
Does my application “contain encryption”?
ITSAppUsesNonExemptEncryption export compliance while internal testing?
I don't live in the US and therefore don't navigate freely in their law system or stays up to date with changes. But using american products and platforms like the Apple App Store means that I have to comply with the national rules and policies.
There is this one thing about encryption compliance whenever I submit to the app store. It always ask me if I'm using encryption. The answer is yes - since fetching like OTA updates are https. The SO questions are often so yes to the first and no to the rest if https is the only encryption used.
BUT what if you are using encryption to authenticate a user. Then it seems like it has to be yes to encryption and yes to this question:
Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?.
Here is what I don't get. If this is the case for US compliant mobile apps - do I need to report to US authorities if I deploy a web site that do the exact same type of authentication logic
There is a lot of great material on how to build a good authentication system - but have never come across a mention of
"BTW ☝️ don't forget to report to the US authorities that you authenticate your users with encryption"
First IANAL, so take this a professional experience, not legal advice. There is no requirement to notify any specific US authority that you use encryption in your auth process. I suspect that these questions are asked because of the ITAR Regulations that deem certain kinds of encryption to be "arms" and therefor not legally exportable from the US (Discussion of ITAR and Crypto here) given you are already in (presumably legal) possession of whatever encryption scheme you are using, these rules do not apply to you. There may be more specific regulations if you have an affiliation with the military or intelligence agencies of the US or any other country.

iOS - Store credit/debit card in encrypted form on server from ios app and decrypt it from the app again. How can I manage it most securely?

I have static key in my iOS application. By using that key I am encrypting credit/debit cards and sends it to server for future use. And I am using same key for decryption of card.
Now I can't use dynamic key by any key generation algorithm as I want to decrypt my card later on. So, Every time I require same key.
So, My question is how should I store my key or where I should store my key as it'll be most secure? or Can I manage this stuff by generating dynamic key every time? If yes then how?
Many iOS applications like Amazon, Uber etc are storing the card information in their server! How they people are managing this stuff?
Any help will be appreciated! Thanks!
If you need to ask this question then you are already breaking PCI compliance. Your customers credit card information should never touch your server, encrypted or otherwise. Most payment gateways handle this for you. There is very little reason why you should be doing this yourself.
If you do need to handle this yourself, and there are very few cases where you do, simply symmetrically encrypting the card information in your app is not the way to do it. Literally anyone who can download your app can decrypt other customers credit card information.
The correct approach would be to transport card information to your server secured with TLS, then encrypting and storing the key information in a HSM server side. If you can't manage this, then you are not PCI compliant and will be legally responsible.
If your business operates, or has service available to customers in the EU, then you could suffer very heavy fines for poor handling of consumer credit card information.

IOS App Encryption

I am about to submit a new Sales app to the Apple App Store.
The users need to send their sales data to their head office daily.
To do this the app zips the sales data and attaches the zipped file to an email. This zipped file is encrypted for security, and will only be used by the head office.
Would my app be regarded by Apple as containing encryption when I submit it to the App Store ?
The Apple Developer Program License Agreement states that, when distributing your app,
You certify that (i) none of the Licensed Applications contains, uses
or supports any data encryption or cryptographic functions; or (ii) in
the event that any Licensed Application contains, uses or supports any
such data encryption or cryptographic functionality, You certify that
You have complied with the United States Export Administration
Regulations, and are in possession of, and will, upon request, provide
Apple with a PDF copy of Your Encryption Registration Number (ERN), or
export classification ruling (CCATS) issued by the United States
Commerce Department, Bureau of Industry and Security and PDF copies of
appropriate authorizations from other countries that mandate import
authorizations for that Licensed Application, as required.
So in order to comply with Apple's guidelines you must select that your app does utilize encryption on iTunes Connect if you are encrypting something inside of your app.

Criteria for "Contain Encryption" restriction for App Store approval

When submitting an app that contains cryptography, I know there's a checkbox you must check, as well as subsequent questionnaire you must answer. And if the app contains cryptography you need to go through complex Exporter Registration and Reporting process.
There are three specific cases I'm curious about:
1. Cryptocurrency wallets
One of the "exemption" clause says:
(ii) your app uses, accesses, implements or incorporates encryption for authentication only
Does this exempt the app from having to go through all the complicated government approval process? Most cryptocurrency wallets only use cryptography for signatures and authentication, but I'm not sure how this applies to this case.
Simply put, do all Bitcoin wallet app developers have to get government approval before submitting the app?
2. End-to-End encrypted messaging apps
How about end-to-end encrypted chat apps? Do I have to go through the approval process?
I'm talking apps like Signal and whatsapp.
3. Does WKWebView + Webcrypto count?
What if I'm using WKWebView which contains access to webcrypto API https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API inside the app, does this count as "contain encryption"?
From Apple FAQ:
Use of encryption includes, but is not limited to:
Making calls over secure channels (i.e. HTTPS, SSL, and so on)
Using standard encryption algorithms
Using crypto functionality from other sources such as iOS or macOS
Using proprietary or non-standard encryption algorithms
You didn't specify source of your "exemption", but I guess it is not from Apple guidelines.
I would say that your cases are using encryption or crypto so are in scope of this guidelines.
I found some more informations here - maybe will help you.

swift3 - How to protect secret key

I am new of iOS swift 3 development. Now, I am working on a project which needs encryption, message authentication code(MAC) and Hashed-base-MAC. These algorithms require secret keys. I know that it is a bad practice to hard-code the keys inside the code, like:
let key = "secretkeyabc123"
Searched and read some articles like:
In iOS, how can I store a secret "key" that will allow me to communicate with my server?
Since other people may perform reverse engineering, I am finding a way to protect my keys. Requirements:
No hash the key. Time allows to crack it, or with hashed table and dictionary
May not connect to Internet (My app. is an offline app. If your answer needs to connect to Internet. Yes, please point it out. I will think about it)
It is a static key. It may change monthly
It is a symmetry key.
Codes, concept or other things are welcome. Thanks!
Don't store the key at all. Perform a Diffie-Hellman key exchange to start an asymmetrically encrypted channel, and use this channel to send across a symmetric key to the client, which can be used for subsequent client use.
Check iCloud Keychain (based on your tags [ios], [swift], [key]).
It functions as a secure database that allows information including a user's website login passwords, Wi-Fi network passwords, credit/debit card management (though without CVV), and other account data, to be securely stored for quick access and auto-fill on webpages and elsewhere when the user needs instant access to them. They are always stored encrypted using 256-bit AES encryption, are stored on device and pushed from iCloud between devices, and only available on a user's trusted devices.

Resources