Encryption Export Regulations. Why should mobile developers care?

Transcript

1. Encryption Export Regulations Julia Potapenko Why should mobile developers care?

2. Security Software Engineer @julepka We help companies to protect their

   sensitive and valuable data.

3. … disclaimer: I am not a lawyer, and this is

   not legal advice …

4. App Distribution

5. App Distribution App App Store or Google Play Upload

6. App Distribution App App Store or Google Play Upload 🇺🇸

   US Servers

7. App Distribution App App Store or Google Play Upload 🇺🇸

   US Servers 🌍 Distribute

8. App Distribution App App Store or Google Play Upload 🇺🇸

   US Servers 🌍 Distribute = Export

9. App Distribution App App Store or Google Play Upload 🇺🇸

   US Servers 🌍 Distribute = Export US Export Regulations.

10. App Distribution App App Store or Google Play Upload 🇺🇸

    US Servers 🌍 Distribute = Export US Encryption Export Regulations.

11. App Distribution App App Store or Google Play Upload 🇺🇸

    US Servers 🌍 Distribute = Export US Encryption Export Regulations. Import

12. Do I have encryption in my app?

13. Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of

    encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms.

14. Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of

    encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms. Less headache

15. Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of

    encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms. More headache Less headache

16. Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of

    encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms. More headache Less headache File and send a required report

17. Do I have encryption in my app? https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Use of

    encryption includes, but not limited to: • Making calls over secure channels (i.e. HTTPS, SSL, and so on). • Using standard encryption algorithms. • Using crypto functionality from other sources such as native libraries. • Using proprietary or non-standard encryption algorithms. More headache Less headache File and send a required report You’ll need legal help

18. Annual self-classification report How? – Send the report as an

    attachment to BIS and ENC emails What? – A specific CSV-formatted file Where? – See the official website for correct emails When? – No later than Feb 1 of the following year https://www.bis.doc.gov/index.php/policy-guidance/encryption/4-reports-and-reviews/a-annual-self-classification

19. Report Example PRODUCT NAME: Awesome App! MODEL NUMBER: 1.10.2 MANUFACTURER:

    SELF / Tom Smith Inc. ECCN: 5D992.c AUTHORIZATION TYPE: MMKT ITEM TYPE: Mobility and mobile applications n.e.s. SUBMITTER NAME: Tom Smith TELEPHONE NUMBER: (222) 123-4567 E-MAIL ADDRESS: tom.smith@email.com MAILING ADDRESS: 123 Smith St. Washington DC 22032 NON-U.S. COMPONENTS: N/A NON-U.S. MANUFACTURING LOCATIONS: N/A https://www.bis.doc.gov/index.php/component/docman/?task=doc_download&gid=1675

20. Report Example PRODUCT NAME: Awesome App! MODEL NUMBER: 1.10.2 MANUFACTURER:

    SELF / Tom Smith Inc. ECCN: 5D992.c AUTHORIZATION TYPE: MMKT ITEM TYPE: Mobility and mobile applications n.e.s. SUBMITTER NAME: Tom Smith TELEPHONE NUMBER: (222) 123-4567 E-MAIL ADDRESS: tom.smith@email.com MAILING ADDRESS: 123 Smith St. Washington DC 22032 NON-U.S. COMPONENTS: N/A NON-U.S. MANUFACTURING LOCATIONS: N/A https://www.bis.doc.gov/index.php/component/docman/?task=doc_download&gid=1675 Commonly used values Update with your info

21. Apple Guide Informs you when you submit a build. Explains

    export regulations in a simple language in multiple pages. Requires extra review if you have custom encryption.

22. Apple Guide Google Guide Informs you when you submit a

    build. Explains export regulations in a simple language in multiple pages. Requires extra review if you have custom encryption. Single page of “it depends” information.

23. Useful links BIS official guide: https://www.bis.doc.gov/index.php/policy-guidance/ encryption/4-reports-and-reviews/a-annual-self-classification BIS official example:

    https://www.bis.doc.gov/index.php/component/docman/? task=doc_download&gid=1675 ECFP official instructions: https://www.ecfr.gov/cgi-bin/retrieveECFR? gp=1&SID=4150cfbf028e9a85574385383a581f47&h=L&mc=true&n=pt15.2.742&r=PART &ty=HTML#ap15.2.742_119.6

24. Useful links Our experience: https://docs.cossacklabs.com/themis/regulations/us-crypto- regulations/ Apple guide: https://help.apple.com/app-store-connect/#/dev88f5c7bf9 Google

    guide: https://support.google.com/googleplay/android-developer/ answer/113770?hl=en Wikipedia: https://en.wikipedia.org/wiki/ Export_of_cryptography_from_the_United_States

25. Thank you! @julepka Photo by Lukas Blazek https://unsplash.com/@goumbik