Is your app designed to use cryptography?

In my software I use a encrypted sqlite database for users measure data.

Now I want to upload the software into the Mac App Store an are ask the following questions:

1. Is your app designed to use cryptography or does it contain or incorporate cryptography? (Select Yes even if your app is only utilizing the encryption available in iOS or OS X.)
Yes
No

2. Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?

The first answer should be yes but the second one?

Bad news. Apple is probably going to require an encryption registration with BIS for your app. One approach to this whole problem, especially if you are not US based, is to offer non-encrypted data version of the app on the MAS and an encrypted data version on your website. Directing traffic to your site and sorting out who gets updates is, of course, a massive PITA.

But here’s something to consider… Built with Xojo, your hypothetical app that uses SQLite with no encryption may still have all the code needed to do the encryption in the plugins that accompany the app. The whole export control thing is a giant farce to begin with, and Apple taking it upon themselves to enforce the rule is laughable. But it is what it is if you want to sell in the MAS.

Thanks for the answer.

I only want to prevent, that the user manipulates his own data and corrupts the database.

I have no idea how to do that without encryption.

I remember reading a post from a member that went through the same questions before and reported his app got accepted.
See https://forum.xojo.com/9934-encryption-in-mac-app-store-apps apparently Horst Jehle was able to upload.

Microsoft and Google do the same in their app stores.

[quote=93896:@Michel Bujardet]Microsoft and Google do the same in their app stores.
[/quote]

Actually, in the Google Play Store, there is a checkbox which acknowledges compliance, and a link to an explanation which screams “blow this off unless your lawyers tell you otherwise”. There is also an option to not re-export (US sales only), which negates any need to get an export license or comply with anything.

By contrast, the MAS seems to be requiring having the license on file if you answer the questions honestly.

Brad and Michel,

thanks to both of you. My software should belong to one of the exemptions.

It is really laughable, to not beeing able to generally make the application less attackable by securing the data. If Apple really wanted, they can have a store and servers here in europe, asia, or everywhere else, to make software development and deployment easier and more secure.

So I think Apple is not really interessted in it.

Why bother encrypting the data then, just keep a MD5 (or other) check-sum against the specific data you dont want the user to mess with and then do a check when you read in the data or when you app starts. This way you can answer no to the encrypt question.

With this you might run into an issue where the user tries to manipulate it and then is rejected when the checksum doesn’t match. That’s no fun at all as I just spend two hours fixing my Dad’s burning monkey solitaire preferences because you can actually get that game to launch if you turn the launch video off, but the preferences aren’t very easy to manipulate yourself, and I kept running into “Preferences validation error.”

From a user standpoint it’s a usability issue, but it’s a viable workaround to the encryption export headaches.

Put the file in AppData. Users usually don’t go there (it’s hidden by default).

Yes, thanks that could be a solution for this app. The data are already in the sandboxed AppData folder.

For my next app, I’m going to buy datasets from third party, so the user can work with them in the app. This data sets I have to protect from beeing copied. I could better sleep, when I do it with technical state of the art functionality, which means encryption.