Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AES-256 encryption & Apple iTunes export restrictions

I have a really big problem.

I developed 3 applications 2 for IOS and 1 for mac osx to encrypt files using RNCryptor (witch is a CCCryptor (AES encryption) wrappers). The applications was rejected twice, and they send this to me in the resolution center(twice):

----- PLA 2.3 -----

We found that your Application Description states that it encrypts data.

However, your app does not have Export Compliance, which does not comply with the iOS Developer Program License Agreement, as required by the App Store Review Guidelines.

Section 2.3 of the iOS Developer Program License Agreement specifies,

"You certify that (i) none of the Licensed Applications contains, uses or supports any data encryption or cryptographic functions; or (ii) in the event that any Licensed Application contains, uses or supports any such data encryption or cryptographic functionality, You will, upon request, provide Apple with a PDF copy of Your Encryption Registration Number (ERN), or export classification ruling (CCATS) issued by the United States Commerce Department, Bureau of Industry and Security and PDF copies of appropriate authorizations from other countries that mandate import authorizations for that Licensed Application, as required."

Please review your app's encryption ability, and when resubmitting your binary, check the appropriate answers to the questions in the Export Compliance section of iTunes Connect. You may be asked some follow-on questions to determine the level of encryption in your app; you may also be asked to provide a copy of your CCATS.

If you have questions related to export compliance and your app's use of encryption, please contact the App Store Export Compliance team at [email protected].

  1. the first time i say "YES" for the cryptography question and follow the rest of questions.
  2. second, i say maybe because RNCRyptor using the build in SDK encryption i have to replay "NO", but the app was rejected again.

I think that for now, i have to register my application for encryption a "CCATS" or a "SNAP-R" according to this article. but it can take a month or more to accept(or not) my request.

My questions are:

  1. using CCCryptor(with RNCryptor), have i to deliver a copy of the encryption certificate To Apple, or i'm i missing sothing else?
  2. If YES, how can i accelerate the process (i'm not in the USA)?
  3. In the end, Apple ask : are you releasing your product in France?, they mean that my Company is in French or that application will be sell in the French stor ?
  4. How can i get the certification for French? have we an online form like USA certification or we have to go to the administration in French to have one ?
like image 1000
Red Mak Avatar asked Jan 05 '13 08:01

Red Mak


People also ask

What is AES 256 encryption used for?

AES 256-bit encryption uses 14 transformation rounds to convert plaintext into ciphertext and, because it's nearly impossible to break, is approved by the National Security Agency (NSA) to protect both secret and top-secret government information.

Is 256-bit encryption secure?

256-bit encryption is a data/file encryption technique that uses a 256-bit key to encrypt and decrypt data or files. It is one of the most secure encryption methods after 128- and 192-bit encryption, and is used in most modern encryption algorithms, protocols and technologies including AES and SSL.

Has AES 256 been cracked?

The AES-256 block cipher hasn't been cracked yet, but there have been various attempts against AES keys. The first key-recovery attack on full AES was published in 2011 by Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger.


2 Answers

How can i get the certification for French? have we an online form like USA certification or we have to go to the administration in French to have one ?

In order to make you app available in France via the App Store, you must obtain a French Declaration via a separate application process. We paid a law firm $2000 to file the paperwork to receive the French declaration as France is an important market for our app.

Below is Apple's March 2014 response when we selected "World" as our app's intended distribution. "World" includes France so our app was rejected even though we had obtained our USA ERN. So, don't select France if you already have your USA ERN but don't care to distribute in France.

Hello.

Thank you for submitting your app to the AppStore.

Currently, your app is pending "Export Compliance Review" as a result of answers provided to questions about your application's use of cryptography.

You indicated that you are not intending to release in France. However, elsewhere in the submission process, you marked your App's intended distribution as "World".

In order to release your App from the current hold, we require that you take steps to comply with French import regulations.

FRENCH REGULATORY REQUIREMENTS

French authorities have agreed to limit the regulatory approval requirements for Apple’s App Store apps that use, access, implement, or incorporate:

• any encryption algorithm that is yet to be standardized by international standard bodies such as IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, etc. or not otherwise published; or • standard (e.g., AES, DES, 3DES, RSA) encryption algorithm(s) instead of or in addition to accessing or using the encryption in Apple OS

Consistent with the requirement, Apple will require you to upload a copy of your approved French declaration when you submit your app to the App Store if it meets the criteria described above.

IF YOU DO NOT INTEND TO RELEASE YOUR APP IN FRANCE

We need you to explicitly remove France from your App's list of countries for distribution.

Please go to the pricing metadata page and uncheck France:

PastedGraphic-1.tiff

Send us an email when you've done that, and we will then be able to release your app from the Export Compliance review stage.

IF YOU DO INTEND TO RELEASE YOUR APP IN FRANCE

Follow the above steps so that we can release your App from its current hold.

Then, once you have obtained the French declaration, email a copy to us, go re-check France, and let us know that you've done that. This will allow us to release your App for worldwide distribution including France.

Relevant French encryption regulations can be found at:

http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITEXT000005789847&dateTexte=#LEGIARTI000006421577 http://www.ssi.gouv.fr/en/regulation/cryptology/

like image 144
Sunday Avatar answered Sep 27 '22 02:09

Sunday


You will have to do the CCATS/SNAP-R procedure. The problem is that the servers of Apple are in the states and you ship your application back to Europe. And yes in our case it took about 3 weeks to get all done.

Now for your Questions:

using CCCryptor(with RNCryptor), have i to deliver a copy of the encryption certificate To Apple, or i'm i missing sothing else?

No you don't need to deliver any certificates or code to apple.

If the YES, how can i accelerate the process (i'm not in the USA)?

Start the process today... it's the only thing that helps.

In the end, Apple ask : are you releasing your product in France?, they mean that my Company is in French or that application will be sell in the French stor ?

Apple is asking in what stores will you sell, only France, Europe , worldwide

How can i get the certification for French? have we an online form like USA certification or we have to go to the administration in French to have one ?

I don't think the have a translation, you will just have to do the online forms and fill the long question list.

Good Luck,

like image 38
Frank Avatar answered Sep 24 '22 02:09

Frank