When submitting an app to the iOS App Store, one is required to declare whether the app "contains encryption" (and, as I understand, go through additional administrative hurdles).
Does anyone know of any guidance on what precisely is covered by the term "encryption" in this context?
Are they referring to:
Specifically, I was intending to use some weak scheme to protect some of the app's assets against a casual hacker, e.g. by XORing the data from the file with a string of bytes generated from a (non-cryptographic) random number generator. If you like, it would be a "one time pad", but where the key isn't actually cryptographically random: just random enough so that somebody looking to steal the data would need to go to a small amount of effort beyond 'just copying the data out of the file'.
So, for the purposes of the declaration, would this count as using "encryption" even though it's not actually a cryptographically secure form of encryption? What I'm doing is common enough practice that I'm guessing other developers have submitted apps using such a procedure: did you have to declare the app as using encryption?
(The iTunes Connect Guide, for example, doesn't give any further specification on this matter.)
App Uses Non-Exempt Encryption : No If you are making use of ATS or making a call to HTTPS, you are required to submit a year-end self classification report to the US government. Export laws require that products containing encryption must be properly authorized for export.
HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL).
Typically, the use of encryption that's built into the operating system—for example, when your app makes HTTPS connections using URLSession —is exempt from export documentation upload requirements, whereas the use of proprietary encryption is not.
The answer to this question is simply YES. We should select yes option even if we only used 'https' to connect to the server and did not use any other standard encryptions in our app, because Apple consider https as a standard encryption itself.
This flow chart will probably help you get on the right track. It indicates that if the encryption is limited to copyright protection / intellectual property then it is exempt from the review. I got to this flow chart from the BIS homepage. That page is referenced by the FAQ entitled World Wide Trade Compliance for the App Store in iTunes connect which states you can claim exemption:
(i) if you determine that your app is not classified under Category 5, Part 2 of the EAR based on the guidance provided by BIS
Hope this helps clear things up a bit.
EDIT Another interesting section is this, you can claim exemption if:
(iii) your app uses, accesses, implements or incorporates encryption with key lengths not exceeding 56 bits symmetric, 512 bits asymmetric and/or 112 bit elliptic curve
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With