3

This might not be a direct code question, but it's one that comes up frequently on SO and I find very useful to read.

App Store - Help answering “Missing Compliance” (using Expo + Firebase)

Does my application “contain encryption”?

ITSAppUsesNonExemptEncryption export compliance while internal testing?

I don't live in the US and therefore don't navigate freely in their law system or stays up to date with changes. But using american products and platforms like the Apple App Store means that I have to comply with the national rules and policies.

There is this one thing about encryption compliance whenever I submit to the app store. It always ask me if I'm using encryption. The answer is yes - since fetching like OTA updates are https. The SO questions are often so yes to the first and no to the rest if https is the only encryption used.

BUT what if you are using encryption to authenticate a user. Then it seems like it has to be yes to encryption and yes to this question:

Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?.

enter image description here

Here is what I don't get. If this is the case for US compliant mobile apps - do I need to report to US authorities if I deploy a web site that do the exact same type of authentication logic

There is a lot of great material on how to build a good authentication system - but have never come across a mention of

"BTW ☝️ don't forget to report to the US authorities that you authenticate your users with encryption"

Norfeldt
  • 8,272
  • 23
  • 96
  • 152
  • *...do I need to report to US authorities if I deploy a web site...* This question is probably off-topic for stackoverflow but I would assume the answer is no. A website is not an export in the sense of the word used here. However, and one of the reasons this question is likely off-topic, this is a legal question and I am not a lawyer. – President James K. Polk Oct 02 '20 at 16:35
  • 1
    I agree that it's a grey area towards off-topic - it's still very relevant for all developers that do authentication and launch products for the US market – Norfeldt Oct 02 '20 at 16:38
  • Sorry, but I miss the point sincerely. If I've understand well you are trying to deploy an app that is a merely container of a web content and nor a native one. Is this right? – Massimo Pavanel Oct 09 '20 at 05:38
  • @MassimoPavanel yes it could be a mobile app that is a web container, build with React Native or just purely native. You do authentication on the client side (which would be the mobile itself) and you then decide to port it to a pure web version (PWA) that authenticate exactly the same way*. The mobile version has to be reported to US Auth. according to what Apple App Store says. But what about the web version that is deployed to AWS, netlify etc..??? *native code would be written to JS but the encryption techniques (like SHA256) would be the same – Norfeldt Oct 09 '20 at 06:45
  • I think that the app via web or the app native build, when presented via App Store, must conform to the Apple security criteria even if totally server side. It's your responsibility to do that, and if this isn't the app can be kicked in no time and your developer account trashed with it. There are many discussion about this meaning and sincerely I think that Apple will do something about in short time (mass ban? who knows). Same thing for Google side. – Massimo Pavanel Oct 09 '20 at 07:48
  • But what if I decide to remove an app from these stores and deploy to the web only - would I then be also have to report to us authorities that I'm using encryption to authenticate my users? – Norfeldt Oct 09 '20 at 07:52
  • I'm voting to close this question because it is about legal issues. – Peter O. Nov 10 '20 at 22:29
  • I understand your vote @PeterO. since this is a grey area question. What what benefits does a close service? Is it to signal that these type of questions don't belong here? To serve some statistical benefits? Or something else? I wouldn't mind hearing others answers to my topic but don't want to keep it open if it ruins something for some of you. – Norfeldt Nov 10 '20 at 22:44

1 Answers1

3

First IANAL, so take this a professional experience, not legal advice. There is no requirement to notify any specific US authority that you use encryption in your auth process. I suspect that these questions are asked because of the ITAR Regulations that deem certain kinds of encryption to be "arms" and therefor not legally exportable from the US (Discussion of ITAR and Crypto here) given you are already in (presumably legal) possession of whatever encryption scheme you are using, these rules do not apply to you. There may be more specific regulations if you have an affiliation with the military or intelligence agencies of the US or any other country.

Adam McCormick
  • 1,654
  • 18
  • 22
  • thank you very much for your answer. Do you have any knowledge of if this requirement from Apple has been from day one of app store of if it occurred later in correspondence to some events (like the time Apple refused to expose a backdoor in order to get information about a terrorist or when crypto currency became popular etc.)? – Norfeldt Oct 11 '20 at 06:26
  • Again it’s oriented to American publishers. There are laws that apply within the country that don’t apply to foreign businesses or people – Adam McCormick Oct 12 '20 at 07:04