1

My app uses the Apple Push Notification service to receive pushes from my server. Question one of attempting to add an app to the app store:

Is your product designed to use cryptography or does it contain or incorporate cryptography?

Which is a yes, directly because of their push service generating and distributing keys.

Followed by:

Does your product qualify for any of the exemptions provided in Category 5 part 2?

You are responsible for the proper classification of your product; make certain that it meets the criteria of the exemption (listed here). Otherwise you may be in violation of the US export laws and could be subjected to penalties including delisting of your app from App Store. Please go through the FAQ page thoroughly before attempting to answer the question.

You can answer "YES" to question #2, if the encryption in your app is: (a) is specially designed for medical end-use; (b) is limited to intellectual property or copyright protection; (c) is limited to authentication, digital signature or the decryption of data or files; (d) is specially designed and limited for banking use or 'money transactions'; (e) is limited to “fixed” data compression or coding techniques; or (f) if your app meets the descriptions provided in Note 4 to Category 5 Part 2.

And, honestly I don't know how Apple presents you with the device tokens. Possible exception could fall under the (c) clause but I don't know how apple uses their encryption. Their docs say "an accredited and encrypted IP connection" is established but not how it's used. Or it could fall under the (e) clause but they don't document what their encryption method is. Their FAQ (you'll need an itunes connect account to see it) lists these encryption methods for the exception:

(iii) your app uses, accesses, implements or incorporates encryption with key lengths not exceeding 56 bits symmetric, 512 bits asymmetric and/or 112 bit elliptic curve

(iv) your app is a mass market product with key lengths not exceeding 64 bits symmetric, or if no symmetric algorithms, not exceeding 768 bits asymmetric and/or 128 bits elliptic curve.

Which I don't understand, though I would expect Apple to conform to something like that?

Also possible is:

(vi) the source code of your app is “publicly available”, your app distributed at free of cost to general public, and you have met the notification requirements provided under 740.13.(e).

Which is cited by Urban airship as a reason using their service qualifies as an exception along with the key length. But... Apple is anything but open source.

How did you guys approach this?

Jeremy
  • 1,019
  • 9
  • 18
  • Caveat: I am not a lawyer (IANAL). However, I've heard (and it makes sense to me) that this question is primarily geared around code that is NOT provided by Apple that is contained in your app. Don't know if this is true, but it seems reasonable to me. And in this interpretation, the answer would be 'no'. – Paul Dardeau Jan 30 '14 at 22:44
  • 1
    This is not the right place to ask, but as long as you don't make encryption available to your users you should not worry overly much. – Maarten Bodewes Jan 30 '14 at 22:47
  • 1
    This is most certainly the right place to ask because there is no where else lol, this question (http://stackoverflow.com/q/2135081/1709073) says SSL connections fall under a "use of encryption" and APS certainly uses SSL to get keys and the notifications from their service and to your app but that is all the SSL in my app – Jeremy Jan 30 '14 at 22:52
  • 1
    Ask your self the question: Am I encrypting anything? Unless you are explicitly encrypting something or using a 3rd party library that is encrypting something the answer _should_ be No. Note hash functions such as MD5 and SHA are not encryption. Finally the caveat: Ask a lawyer and as Sargent Shultz used to say: "I know nothing". – zaph Jan 31 '14 at 03:00
  • I don't explicitly encrypt anything, but using the apple push notification server (I suppose that is considered 3rd party?) does. To set it up you need a certificate and key and the key is used to decrypt data (tokens and notifications) from apple's server - https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html#//apple_ref/doc/uid/TP40008194-CH100-SW13 – Jeremy Jan 31 '14 at 04:26
  • Do you never communicate directly with your server so this question actually matters? If you do communicate, you'll need to use SSL to secure it and you'll need to go through the export hoops anyways. – CodesInChaos Jan 31 '14 at 09:30
  • If the server uses encryption that does not count, it is not done on the iOS device, the issue is Apple distributing your code via the App Store that is doing encryption--the app. If you use SSL to communicate with the server is using encryption and seems to require a YES. Interestingly there are several other ways encryption is used in an app: Saving passwords/keys in the keychain. Using `NSDataWritingFileProtection*`, notice that Apple is sidestepping use of the word encryption yet that is what is happening. – zaph Jan 31 '14 at 13:49
  • This question appears to be off-topic because it belongs on crypto.stackexchange.com – Thomas M. DuBuisson Jan 31 '14 at 17:15
  • 1
    Why would it belong in crypto? The argument is not whether cryptography is being used, it is, or about the cryptography methodology in play. It is a question about the effect of coding use of the push service provided by APPLE on APPLE's Export Compliance agreement and how other people in the SO community approached it. – Jeremy Jan 31 '14 at 21:51

1 Answers1

0

Is your product designed to use cryptography or does it contain or incorporate cryptography?

The key here is "your product" ... Your app did not design APNS, Apple did, and you simply implement their protocol.

Using Apple's Push Notification Service is not 3rd party hence does not apply as a cryptographic method that applies here since at the end of the day, they control it entirely and can revoke access at any time.

Unless you have other cryptography in your app, you can safely answer "No."

Nick
  • 2,425
  • 17
  • 20
  • It makes no difference who designed the code, it is the usage on the device that counts. What happens on the server does not matter because that code is not being exported in the App. It is all about export controls of "munitions" and Apple is the exporter. There are very serious ramifications of violating export controls and Apple is the exporter so they have to insure the apps they sell for the developer are not in violation. – zaph Jan 31 '14 at 14:05
  • But it is DESIGNED to USE apns which uses cryptography. The server code is not being exported, but the device decrypts data supplied by the server with regards to a key supplied at the creation of the device token on the device and that is exported. Apple explicitly states that they are not responsible for registering credentials of apps to the export authorities. It is my app with code to use their service and so use of THEIR decryption falls under MY product responsibility – Jeremy Jan 31 '14 at 21:42