What answer to testFlight encryption four questions ?

Getting into LiveCode for iOS? Ask your questions here.

Moderators: heatherlaine, Klaus, FourthWorld, robinmiller, kevinmiller

Post Reply
jmburnod
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 2196
Joined: Sat Dec 22, 2007 5:35 pm
Location: Genève
Contact:

What answer to testFlight encryption four questions ?

Post by jmburnod » Fri Dec 08, 2017 8:07 pm

Hi All,
Sorry for this large post but it concern all people want use testFlight and iTunesConnect.
My app is a free app which use https to download files from a server and an external command (sunnytext2speech).
I understand that mean I have to answer Yes to first question.
If i answer Yes I have to answer to four others questions
Is there someone who can answer to these questions ? (my answer after each question)
Thanks in advance
Jean-Marc
What are export regulations and why do I need to comply with them?
If you distribute an app that uses, accesses, contains, implements, or incorporates encryption on Apple's App Store internationally, this is considered an export of encryption software, and is therefore subject to U.S. export and other country import compliance requirements. 
Use of encryption includes, but is not limited to:
• Making calls over secure channels (i.e. HTTPS, SSL, and so on)
• Using standard encryption algorithms
• Using crypto functionality from other sources such as iOS or macOS
• Using proprietary or non-standard encryption algorithms
Apple cannot provide you with legal advice pertaining to your app, services, or reporting obligations. The information in iTunes Connect and discussed below should not be considered as such. If you have questions about your legal obligations, consult an attorney.
Why do I have to answer Export Compliance questions?
Currently, all apps distributed through the App Store for iOS and Mac go through encryption review. All apps are uploaded to Apple servers in the United States, which means that your app is exported from the United States and, consequently, is subject to U.S. export laws. This requirement applies to all developers who distribute apps on the App Store, even if you distribute your app(s) only within your own country.
Where can I learn more about the export laws?
To learn more about the encryption export controls, visit the U.S. Department of Commerce, Bureau of Industry and Security (BIS) Encryption Policy page. The Government of France also controls the import and export of encryption apps distributed in France. For more information about these French controls, visit their English web page. If you have specific questions related to French Import Declarations, contact the component French authorities at controle@ssi.gouv.fr.
What do I need to do to distribute my app, that uses encryption, on the App Store?
Before you can distribute your app on the App Store, you must complete the export compliance questionnaire on iTunes Connect. To begin the questionnaire:
• Go to the Encryption section under Features in My Apps.
• Click the plus sign next to the appropriate platform section.
• Answer the questions and attach the compliance documents when prompted.
• Click Save.

How do I answer each of the export compliance questions?
There are five questions designed to guide you through Apple’s export compliance review process. Depending on whether your app meets the criteria outlined below, you may only be required to submit answers for some of the questions.
Question 1: Is your app designed to use cryptography or does it contain or incorporate cryptography?
Answer "YES" to the question if your app is using encryption. Some examples of encryption use include:
• Making calls over secure channels (i.e. HTTPS, SSL, and so on)
• Using standard encryption algorithms
• Using crypto functionality from other sources such as iOS or macOS
• Using proprietary or non-standard encryption algorithms
Answer “NO” if your app does not use, access, implement or incorporate encryption.
 
YES, my App use HTTPS
Question 2: Does your app meet any of the following:
• Qualifies for one or more exemptions provided under category 5 part 2
• Use of encryption is limited to encryption within the operating system (iOS or macOS)
• Only makes call(s) over HTTPS
• App is made available only in the U.S. and/or Canada
There are several exemptions available in the U.S. export regulations that release apps from compliance obligations if the app is using low level encryption or using encryption for specific purposes. Visit the “What items are removed from encryption controls?” page published by the BIS to determine if your app’s use of encryption is exempted from the compliance requirements.
All liabilities associated with misinterpretation of the export regulations or claiming exemption inaccurately are your responsibility.
Answer "YES" to the question if your app meets any of the following criteria:
• Your app is only using the encryption within the operating system (iOS or macOS). Please note that you will be responsible for submitting a self-classification report at the end of the year. See below for more information about self-classification reports.
• Your app’s use of encryption is limited to making calls over HTTPS. Please note that you will be responsible for submitting a self-classification report at the end of the year.
• Your app uses, accesses, implements or incorporates encryption for authentication only.
• Your app uses, accesses, implements or incorporates encryption with key lengths not exceeding 56 bits symmetric, 512 bits asymmetric and/or 112 bit elliptic curve.
• Your app is a mass-market product with key lengths not exceeding 64 bits symmetric, or if no symmetric algorithms, not exceeding 768 bits asymmetric and/or 128 bits elliptic curve. Please review Note 3 in Category 5 Part 2 to understand the criteria for mass-market definition.
• Your app is specially designed and limited for banking use or ‘money transactions.’ The term ‘money transactions’ includes the collection and settlement of fares or credit functions.
• The source code of your app is "publicly available,” your app is distributed free of cost to the general public, and you have met the notification requirements provided under 742.15 (b).
• Your app is specially designed for medical end-use. The BIS considers “specially designed for medical end-use” to mean designed for medical treatment or the practice of medicine (does not include medical research).
• • Your app qualifies for Note 4 exemption. Please visit BIS’s guidance for more information on Note 4 exemptions. 
Answer “NO” if your app does not qualify for any exemptions provided by BIS. 
I would say Yes but I'm lost about exceptions
https://bis.doc.gov/index.php/policy-gu ... to-the-ear
Question 3: Does your app implement any encryption algorithms that are proprietary or yet-to-be-accepted as standards by international standard bodies (IEEE, IETF, ITU, and so on)?
The U.S. Government defines "non-standard cryptography" as any implementation of "cryptography" involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body ( e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and GSMA) and have not otherwise been published.
Some examples of non-standard encryption include: 
• WAPI
• Any encryption algorithm designed, developed and implemented from ground up by your company or your vendor and is not otherwise published is another example of "non-standard cryptography.”
Answer "YES" to the question if your app implements or provides "non-standard cryptography.”
If your answer to question 3 is “YES," Apple requires you to upload a CCATS approval document from the U.S. government before your app can be distributed outside of the U.S.
Answer “NO” if your app does not implement or provide "non-standard cryptography.”
 
NO
Question 4: Does your app implement any standard encryption algorithms instead of, or in addition to, using or accessing the encryption in Apple’s iOS or macOS?
Answer "YES" to the question if your app implements industry standard algorithms such as AES, DES, RSA, and so on, instead of or in addition to accessing or using the encryption algorithms available in Apple’s iOS or macOS. 
Answer “NO” if your app does not implement industry standard algorithms instead of, or in addition to, accessing or using the encryption algorithms available in Apple’s iOS or macOS.  
NO, because if I understand correctly (some doubts assail me), https, which uses RSA, is implemented natively in iOS
Question 5: Are you releasing your app in France? Answer "YES" to the question if you plan to distribute your app in France. Please note that, if your app reaches this point and if you answer "YES" this question, you must submit an Import Declaration approval from French ANSSI authorities. 
YES,i have to "submit an Import Declaration approval from French ANSSI authorities".
http://www.ssi.gouv.fr/en/regulation/cr ... plication/

LCMark
Livecode Staff Member
Livecode Staff Member
Posts: 973
Joined: Thu Apr 11, 2013 11:27 am

Re: What answer to testFlight encryption four questions ?

Post by LCMark » Sat Dec 09, 2017 9:15 am

@jmburnod: If your app does not use the encrypt/decrypt commands and you are not doing any encryption in LiveCode Script but you are using HTTPS then your answers look correct.

i.e.

Question 1: YES - your app is using HTTPS
Question 2: YES - Your app’s use of encryption is limited to making calls over HTTPS. Please note that you will be responsible for submitting a self-classification report at the end of the year.
Question 3: NO - your app does not implement or provide "non-standard cryptography.”
Question 4: This depends on what internet library you are using as there are three available HTTPS implementations in LiveCode on iOS:
1) tsNet - uses system functionality - answer NO
2) Internet Library - uses LiveCode's HTTPS functionality which uses OpenSSL and not system encryption - answer YES
3) Built-in liburl emulation - uses iOS native HTTPS APIs - answer NO
Question 5: YES - assuming you are distributing your app in France.

Hope this helps!

Mark.

jmburnod
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 2196
Joined: Sat Dec 22, 2007 5:35 pm
Location: Genève
Contact:

Re: What answer to testFlight encryption four questions ?

Post by jmburnod » Sat Dec 09, 2017 1:12 pm

@Mark,
Thanks a lot for explanations,
Best regards
Jean-Marc

jmburnod
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 2196
Joined: Sat Dec 22, 2007 5:35 pm
Location: Genève
Contact:

Re: What answer to testFlight encryption four questions ?

Post by jmburnod » Mon Dec 11, 2017 7:24 pm

Good news,
Apple has simplified the attestion request for encryption.
Only two question now
And I was very glad to answer "Yes my app doesn't need it" two times :D
Best regards
Jean-Marc

jmburnod
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 2196
Joined: Sat Dec 22, 2007 5:35 pm
Location: Genève
Contact:

Re: What answer to testFlight encryption four questions ?

Post by jmburnod » Wed Dec 13, 2017 10:32 am

Hi All,
There is now only two questions about encryption and
french government has changed his law about it monday 11 decembre 2017 :D
If you use only https as encryption you don't need attestation about encryption.
Best regards
Jean-Marc

Post Reply

Return to “iOS Deployment”