Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is my application using encryption (only keychain)?

In my application i'm using iOS keychain to store password, that's all. What should I answer on 2 questions about "Export Compliance — Encryption" at iTunes Connect?

  1. Is your app designed to use cryptography or does it contain or incorporate cryptography? (Select Yes even if your app is only utilizing the encryption available in iOS or OS X.) Yes/No
  2. Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations? Yes/No
like image 381
Vasily Avatar asked Apr 18 '15 12:04

Vasily


People also ask

Do all iOS apps use encryption?

The answer to this question is simply YES. We should select yes option even if we only used 'https' to connect to the server and did not use any other standard encryptions in our app, because Apple consider https as a standard encryption itself. When should I select 'No' option?

Is Apple keychain encrypted?

Overview. Keychain items are encrypted using two different AES-256-GCM keys: a table key (metadata) and a per-row key (secret key).

What is a keychain in iOS?

iCloud Keychain remembers things, so that you don't have to. It autofills your information—like your Safari and app usernames and passwords, passkeys, credit card information and security codes, and Wi-Fi passwords on any device that you approve.

What is the private key in keychain?

The private key is used to decrypt, as well as to encrypt, so using it for symmetric encryption requires a key exchange to share that key securely with trusted parties authorized to exchange secured data. Cryptographic software is usually used to automate this process.


1 Answers

Relevant bits as of mid 2015:

https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items

This describes encryption export stuff. One of the important things in this is "Note 4".

https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#Three

Note 4: Category 5, Part 2 does not apply to items incorporating or using "cryptography" and meeting all of the following:

(a) The primary function or set of functions is not any of the following:
     (1) "Information security";
     (2) A computer, including operating systems, parts and components therefor;
     (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights
          management or medical records management); or
     (4) Networking (includes operation, administration, management and provisioning);
(b) The cryptographic functionality is limited to supporting their primary function or set of functions; and
(c) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporters
     country in order to ascertain compliance with conditions described in paragraphs (a) and (b) above.

But then there's this:

http://www.bis.doc.gov/index.php/policy-guidance/encryption/encryption-faqs

Examples of items that are excluded from Category 5, Part 2 by Note 4 include, but are not limited to, the following:   

    Consumer applications.  Some examples:
    piracy and theft prevention for software or music;
    music, movies, tunes/music, digital photos  players, recorders and organizers
    games/gaming  devices, runtime software, HDMI and other component interfaces, development tools
    LCD TV, Blu-ray / DVD, video on demand (VoD), cinema, digital video recorders (DVRs) / personal video recorders (PVRs)  devices, on-line media guides, commercial content integrity and protection, HDMI and other component interfaces (not videoconferencing);
    printers, copiers, scanners, digital cameras, Internet cameras  including parts and sub-assemblies
    household utilities and appliances

So to sum up: if your application's main function is not cryptography, and you're using cryptography just for transmitting game info or just for logging in, your app will not be controlled by export law.

But I'm not a lawyer, and if you're really worried about it, consult one. Apple divests themselves of any responsibility for checking this. If you say "no" and you're wrong, it's your problem, not theirs.

like image 178
Almo Avatar answered Sep 30 '22 02:09

Almo