Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Encryption Export Regulations. Why should mobile developers care?

Encryption Export Regulations. Why should mobile developers care?

Dee939e8aa52d13793b2f0c5e463777b?s=128

Julia Potapenko

June 10, 2021
Tweet

Transcript

  1. Encryption Export Regulations Julia Potapenko Why should mobile developers care?

  2. Security Software Engineer @julepka We help companies to protect their

    sensitive and valuable data.
  3. … disclaimer: I am not a lawyer, and this is

    not legal advice …
  4. App Distribution

  5. App Distribution App App Store or Google Play Upload

  6. App Distribution App App Store or Google Play Upload 🇺🇸

    US Servers
  7. App Distribution App App Store or Google Play Upload 🇺🇸

    US Servers 🌍 Distribute
  8. App Distribution App App Store or Google Play Upload 🇺🇸

    US Servers 🌍 Distribute = Export
  9. App Distribution App App Store or Google Play Upload 🇺🇸

    US Servers 🌍 Distribute = Export US Export Regulations.
  10. App Distribution App App Store or Google Play Upload 🇺🇸

    US Servers 🌍 Distribute = Export US Encryption Export Regulations.
  11. App Distribution App App Store or Google Play Upload 🇺🇸

    US Servers 🌍 Distribute = Export US Encryption Export Regulations. Import
  12. Do I have encryption in my app?

  13. Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of

    encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms.
  14. Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of

    encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms. Less headache
  15. Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of

    encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms. More headache Less headache
  16. Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of

    encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms. More headache Less headache File and send a required report
  17. Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of

    encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms. More headache Less headache File and send a required report You’ll need legal help
  18. Annual self-classification report How? – Send the report as an

    attachment to BIS and ENC emails What? – A specific CSV-formatted file Where? – See the official website for correct emails When? – No later than Feb 1 of the following year https://www.bis.doc.gov/index.php/policy-guidance/encryption/4-reports-and-reviews/a-annual-self-classification
  19. Report Example PRODUCT NAME: Awesome App! MODEL NUMBER: 1.10.2 MANUFACTURER:

    SELF / Tom Smith Inc. ECCN: 5D992.c AUTHORIZATION TYPE: MMKT ITEM TYPE: Mobility and mobile applications n.e.s. SUBMITTER NAME: Tom Smith TELEPHONE NUMBER: (222) 123-4567 E-MAIL ADDRESS: tom.smith@email.com MAILING ADDRESS: 123 Smith St. Washington DC 22032 NON-U.S. COMPONENTS: N/A NON-U.S. MANUFACTURING LOCATIONS: N/A https://www.bis.doc.gov/index.php/component/docman/?task=doc_download&gid=1675
  20. Report Example PRODUCT NAME: Awesome App! MODEL NUMBER: 1.10.2 MANUFACTURER:

    SELF / Tom Smith Inc. ECCN: 5D992.c AUTHORIZATION TYPE: MMKT ITEM TYPE: Mobility and mobile applications n.e.s. SUBMITTER NAME: Tom Smith TELEPHONE NUMBER: (222) 123-4567 E-MAIL ADDRESS: tom.smith@email.com MAILING ADDRESS: 123 Smith St. Washington DC 22032 NON-U.S. COMPONENTS: N/A NON-U.S. MANUFACTURING LOCATIONS: N/A https://www.bis.doc.gov/index.php/component/docman/?task=doc_download&gid=1675 Commonly used values Update with your info
  21. Apple Guide Informs you when you submit a build. Explains

    export regulations in a simple language in multiple pages. Requires extra review if you have custom encryption.
  22. Apple Guide Google Guide Informs you when you submit a

    build. Explains export regulations in a simple language in multiple pages. Requires extra review if you have custom encryption. Single page of “it depends” information.
  23. Useful links BIS official guide: https://www.bis.doc.gov/index.php/policy-guidance/ encryption/4-reports-and-reviews/a-annual-self-classification BIS official example:

    https://www.bis.doc.gov/index.php/component/docman/? task=doc_download&gid=1675 ECFP official instructions: https://www.ecfr.gov/cgi-bin/retrieveECFR? gp=1&SID=4150cfbf028e9a85574385383a581f47&h=L&mc=true&n=pt15.2.742&r=PART &ty=HTML#ap15.2.742_119.6
  24. Useful links Our experience: https://docs.cossacklabs.com/themis/regulations/us-crypto- regulations/ Apple guide: https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Google

    guide: https://support.google.com/googleplay/android-developer/ answer/113770?hl=en Wikipedia: https://en.wikipedia.org/wiki/ Export_of_cryptography_from_the_United_States
  25. Thank you! @julepka Photo by Lukas Blazek https://unsplash.com/@goumbik