I'm trying to submit an app to the App Store, but I got stuck with this question
Does your app implement one or more encryption algorithms that are
proprietary or yet to be accepted as standard by international
standard bodies (such as, the IEEE, IETF, ITU, and so on)?
The only cryptography the app is using is for the api requests that go over https.
What is the correct answer (Yes/No) in my case?
See https://itunespartner.apple.com/en/apps/faq/Managing%20Your%20Apps_Trade%20Compliance and note that "just using https" would be covered under "An app uses or accesses only encryption algorithms provided in iOS or Mac OS for its security features".
So you would answer No to the specific question you are asking about.
Related
I am looking to develop my IOS application to communicate with iXpand Flash Drive using lighting port. I am going to use iXpand SDK for that. The flash drive is defined in public database of apple. Does this need me to have MFI Program to deploy the app on App Store?
I can answer it well as I have deal with the same case:
You need not to have MFI License, as you are not manufacturer of
iXpand Flash Drive Hardware.
The SDK does not communicate with WesternDigital to get any information.
In my case, Apple Does not have asked for MFI details for iXpand. You may just need to provide details harware details for using lighting port.
At last but not least, we cannot 100% sure about apple review process. They can accept / reject with any reason but here you have good chances to accept it if you have valid reason to us external hardware.
I am using base 64 bit encryption for encrypting the string while sending request over the network in some web apis.
Please let me know in iTunes connect, should I select yes for encryption?
Thanks in advance!!!
As far as you are sending encrypted content over network using iOS's encoding technique base64 encoding, you need to mark it as NO.
You are not using any encryption techniques like AES, DES, RSA, so you are not using encryption at all.
Base64 is not encryption - It is an encoding technique.
Question : Is your app designed to use cryptography or does it contain or incorporate cryptography?
Answer : "YES" to the question if your app is using encryption. Some
examples of encryption use include:
Making calls over secure channels (i.e. HTTPS, SSL, and so on)
Using standard encryption algorithms
Using crypto functionality from other sources such as iOS or macOS
Using proprietary or non-standard encryption algorithms
Answer “NO” if your app does not use, access, implement or incorporate
encryption.
Question : Does your app implement any standard encryption algorithms instead of, or in addition to, using or accessing the
encryption in Apple’s iOS or macOS?
Answer : "YES" to the question if your app implements industry standard algorithms such as AES, DES, RSA, and so on, instead of or in
addition to accessing or using the encryption algorithms available in
Apple’s iOS or macOS.
Answer “NO” if your app does not implement industry standard
algorithms instead of, or in addition to, accessing or using the
encryption algorithms available in Apple’s iOS or macOS.
For more information visit Q&A for iTunes Connect.
Update for Comment about ATS :
NSAllowsArbitraryLoads
Since release of iOS 10 and later, and macOS 10.12 and later, by setting this key as Boolean value YES, disables App Transport Security (ATS). Which may result in rejection of Application from App Store Review.
Use of this key triggers App Store review and requires justification.
So it is recommended to use HTTPS server with TLSv1.2 support.
Enabling this key can also be useful for debugging and development.
NOTE: Disabling ATS allows connection regardless of HTTP or HTTPS
configuration, allows connection to servers with lower Transport Layer
Security (TLS) versions, and allows connection using cipher suites
that do not support perfect forward secrecy (PFS).
This key’s default value of NO results in default ATS behavior for all
connections except those for which you have specified an exception
domain dictionary.
I am wondering what is considered the most secure way of two apps exchanging data within Cocoa Touch env.
I am very much new in iOS development and swift development and I am just looking to explore another part of the OS capabilities.
I read about App Groups sharing a location (directory) where files can be exchanged but also about URL schemas between apps to share data.
Are there any other ways of inter-app data exchange? And which is considered the most secure one?
It depends on what you consider secure, but the iOS Keychain may fit your needs. The iOS Keychain is password protected and can be accessed by other applications that you authorize.
Take a look at the official Keychain Services Programming Guide and this article explain how it works.
I need to develop some simple demonstration of an application reading a file over HTTPS and saving it to the local memory (internal or external) of an iOS device (e.g., an iPhone), in a way that it is only accessible to it. So, application-specific file encryption is required.
The "Advanced App Tricks" page of the Apple iOS Developer Library, in the "Protecting Data Using On-Disk Encryption" section, seems to imply that a file encrypted on disk, via either Default (i.e., iOS filesystem) or "Complete" Data Protection, would be accessible by all applications, after the user types the device's lock code.
If that is the case, could someone please suggest the best way of implementing file encryption per-application on an iOS device, with a password request when a user tries to open the file? Any sample code would also be very helpful.
Also, does "software encryption" apply to iOS anymore? Both Default and Data Protection encryption seem to be hardware-based.
Thanks!
Application files are not accessible between Apps. Each App is individually sandboxed.
In all cases the document is talking about the access available to "Your App"/ It is never accessible to another App. But see below. Sone of the protection options help cover what and when "Your App" has access to the file when in the background.
JailBroken iOS devices will have greater file system access so adding "Data Protection" will protect from this vector.
See the document session on The iOS Environment and particularly the section "The App Sandbox" iOS Environment
Hardware encryption: There are a few things that hardware encryption provide. 1. Speed. 2. The encryption method can not be changed, that is as with software encryption there is no code that could be compromised. 3. The key can not be accessed. The key is in some manner placed/created in the hardware and the hardware will does not allow read access (there are occasionally very secure export capabilities). The device is asked to perform crypto functions on data and returns data. Examples of this are smart cards, HSMs, TPMs and TPM Equivalents, the iPhone has a TPM Equivalent and that is used for the Keychain. By chance my wife and I were discussing this very topic yesterday. :-)
As far as I know, for encryption of bulk data, iOS does use special hardware instructions to aid AES encryption for speed but that would not be considered hardware encryption due to the key being available in software. There is a little guessing here due to the lack of information about the Apple A-series ARM chips, it is true of the Intel chips in Macs.
We are submitting an update of our Adobe AIR created app to the Apple App Store. We wish to change our encryption status.
The app was created using AIR 3.7 and uses several Encrypted SQLite Databases and an SSL connection to our server. As a precaution we got the US BIS export notice when we first submitted the app, but during the submit process we received this notice from Apple:
French authorities have agreed to limit the regulatory approval requirements for Apple’s App Store apps that use, access, implement, or incorporate:
any encryption algorithm that is yet to be standardized by international standard bodies such as IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, etc. or not otherwise published; or
standard (e.g., AES, DES, 3DES, RSA) encryption algorithm(s) instead of or in addition to accessing or using the encryption in Apple OS
Consistent with the requirement, Apple will require you to upload a copy of your approved French declaration when you submit your app to the App Store if it meets the criteria described above.
So we decided to not publish to the French app store for our first release.
We now would like to publish to France, but I am not sure if we can state that our encryption is not in addition to accessing or using the encryption in Apple OS . I have found documentation that Encrypted Local Store uses KeyChain, but not that Encrypted SQLite Database does, only that it uses AES encryption.
We do not want to apply for the French import decleration unless really necessary, as it seems like a terribly complex process, in French.
Does anyone know if Encrypted SQLite Database uses that encryption already there in iOS?
Quoting from Adobe's documentation, Considerations for using encryption with a database:
AIR database encryption uses the Advanced Encryption Standard (AES) with Counter with CBC-MAC (CCM) mode.
I can find no indication that it uses a platform-specific method on iOS.