MAS HTTPS, Encryption - export compliance ?

  1. 7 weeks ago

    Olivier C

    May 22 Testers, Xojo Pro Europe (Belgium, France)

    Hi,

    I’m preparing a macOS app for submission to the MAS and have a question about « Encryption ».

    My app is doing API calls (GET/POST) for sending emails (Mailjet) and uses https.

    In « Features / Encryption » it says:

    If your build doesn’t use encryption, specify this in the target properties table in Xcode. Learn More

    In App Store Connect Help:

    Use of encryption includes, but is not limited to:
    - Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    - ...

    Does that mean that using HTTPSocket with secure connection (https) to call APIs POST/GET is considered as Making calls over secure channels ??

    I hope not !

    Thanks for enlightening me.

  2. Christian S

    May 22 Testers, Xojo Pro, XDC Speakers, Third Party Store Germany

    HTTPSocket is old code and doesn't so SSL.

    The new URLConnection does do use SSL/TLS.

  3. Olivier C

    May 22 Testers, Xojo Pro Europe (Belgium, France)

    I mean Xojo.Net.HTTPSocket , which is secure when url uses https.

  4. Christian S

    May 22 Testers, Xojo Pro, XDC Speakers, Third Party Store Germany

    That us NSURL* classes and so you may need to use App Transport Security settings.

    see
    https://blog.xojo.com/2018/12/14/app-transport-security-on-macos/

  5. Olivier C

    May 22 Testers, Xojo Pro Europe (Belgium, France)

    @ChristianSchmitz App Transport Security settings.

    This seems to be for apps not able to use https and wanting to communicate with http.

    My problem is not to use https, it works fine.
    My problem is that if I declare that I’m using HTTPS, here is what MAS says:

    It is your responsibility to comply with export regulations, and you should revisit these questions if your encryption or exemption status changes. If your encryption and exemption eligibility stay the same, specify this in the target properties table in Xcode. 
    App Uses Non-Exempt Encryption : No

    and

    If you are making use of ATS or making a call to HTTPS, you are required to submit a year-end self classification report to the US government.

    If this is the way to go I don’t think I’ll submit to MAS.

    This process is not simple (I found this ) and certainly not worth the time spent.

  6. Beatrix W

    May 22 Testers, Third Party Store Europe (Germany)

    Nobody does that. Otherwise, everyone would have whined before.

  7. Sascha S

    May 22 Testers, Xojo Pro Germany, Lower Saxony
    Edited 7 weeks ago

    Set this to Yes only if your App uses encryption that’s exempt from export compliance requirements and this does not apply to the use of the HTTPS Protocoll.

    Source: https://developer.apple.com/documentation/bundleresources/information_property_list/itsappusesnonexemptencryption

    [Update] - Things seem to have changed since i stopped dev for macOS/iOS...
    Maybe this may help you a bit: https://help.apple.com/app-store-connect/#/dev88f5c7bf9 and https://help.apple.com/app-store-connect/#/dev63c95e436

  8. Olivier C

    May 22 Testers, Xojo Pro Europe (Belgium, France)

    @SaschaSchneppmueller Things seem to have changed since i stopped dev for macOS/iOS...

    Sasha, that’s exactly what I was mentioning in previous messages.
    Maybe @Sam R has an opinion.

  9. Beatrix W

    May 22 Testers, Third Party Store Europe (Germany)

    The question is still: does anyone do what is in the links from Sascha? I checked a couple of applications and none have the plist entries for encryption.

  10. Tim P

    May 22 Testers, Xojo Pro Rochester, NY

    Well it's in plain wording, not even legalese.

    Use of encryption includes, but is not limited to:
    Making calls over secure channels (i.e. HTTPS, SSL, and so on).

    It does feel new, but I haven't submit anything to the MAS that uses the internet.

  11. Sam R

    May 22 Testers, Xojo Pro, Third Party Store Hengchun, Pingtung, Taiwan

    AFAIK, you only need to worry if you use encryption that the US Gov doesn't like. If you use the functionality supplied by the OS you should be fine.

    I say should, because there are many who have/do and don't have a problem, but you can't use that argument if your application gets rejected. If a reviewer thinks you've broken the rules, you've broken the rules until you can prove that you haven't.

    All out apps feature a system that uses the Xojo sockets (can't recall which ones) to periodically connect via https to our server and check for new information. Again, it's doesn't mean that a reviewer who doesn't like you app can't create problems for you.

  12. 6 weeks ago

    Jeremie L

    May 24 Testers, Xojo Pro, XDC Speakers, MVP Europe (France) - packr.app

    If you are only using the system provided encryption such as https, sqlite encrypted databases and so on you shouldn't really bother about that.

    Add this in your plist file and AppStore connect won't ask about encryption again :

      <key>ITSAppUsesNonExemptEncryption</key>
            <false/>
  13. @Jeremie:

    sqlite encrypted databases

    Actually in these days I was going to submit to MAS a new desktop app containing a readOnly sqlite encrypted databases, and I was musing about the reviewer's reaction to it.

    Should I add the plist-snippet you provided?
    <key>ITSAppUsesNonExemptEncryption</key>
    <false/>

    Thanks

  14. Jeremie L

    May 25 Testers, Xojo Pro, XDC Speakers, MVP Europe (France) - packr.app

    From my experience with iOS apps, setting the plist entry mentioned in previous post is ok when using sqlite encryption.

    But there is a big difference between iOS app reviews and Mac app reviews. For iOS, I believe the first reviewer does not have access to the app's content. It is only if the app needs a deeper review that they have tools to download the app bundle onto a Mac and have a closer look to the files. But I may be mistaken.

    When reviewing a Mac app, the reviewer can look into the app bundle and take a closer look to every file.

  15. Olivier C

    May 25 Testers, Xojo Pro Europe (Belgium, France)

    Thank you all for your opinions.
    I’ll post again when the app is submitted to the MAS and let you know.

    I’ll have to wait for an answer to my other post , without it I won’t be able to submit the app anyway.

or Sign Up to reply!