Encryption Export Regulations. Why should mobile developers care?

Transcript

1. Encryption Export Regulations
   Julia Potapenko
   Why should mobile developers care?
   

   View Slide

2. Security Software Engineer
   @julepka
   We help companies to protect their
   sensitive and valuable data.
   

   View Slide

3. … disclaimer: I am not a lawyer,
   and this is not legal advice …
   

   View Slide

4. App Distribution
   

   View Slide

5. App Distribution
   App
   App Store
   or
   Google Play
   Upload
   

   View Slide

6. App Distribution
   App
   App Store
   or
   Google Play
   Upload
   🇺🇸
   US Servers
   

   View Slide

7. App Distribution
   App
   App Store
   or
   Google Play
   Upload
   🇺🇸
   US Servers
   🌍
   Distribute
   

   View Slide

8. App Distribution
   App
   App Store
   or
   Google Play
   Upload
   🇺🇸
   US Servers
   🌍
   Distribute = Export
   

   View Slide

9. App Distribution
   App
   App Store
   or
   Google Play
   Upload
   🇺🇸
   US Servers
   🌍
   Distribute = Export
   US
   Export
   Regulations.
   

   View Slide

10. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers
    🌍
    Distribute = Export
    US Encryption
    Export
    Regulations.
    

    View Slide

11. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers
    🌍
    Distribute = Export
    US Encryption
    Export
    Regulations.
    Import
    

    View Slide

12. Do I have encryption in my app?
    

    View Slide

13. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.
    

    View Slide

14. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.
    Less headache
    

    View Slide

15. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.
    More headache
    Less headache
    

    View Slide

16. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.
    More headache
    Less headache
    File and send a required report
    

    View Slide

17. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.
    More headache
    Less headache
    File and send a required report
    You’ll need legal help
    

    View Slide

18. Annual self-classification report
    How? – Send the report as an attachment to BIS and ENC emails
    What? – A specific CSV-formatted file
    Where? – See the official website for correct emails
    When? – No later than Feb 1 of the following year
    https://www.bis.doc.gov/index.php/policy-guidance/encryption/4-reports-and-reviews/a-annual-self-classification
    

    View Slide

19. Report Example
    PRODUCT NAME: Awesome App!
    MODEL NUMBER: 1.10.2
    MANUFACTURER: SELF / Tom Smith Inc.
    ECCN: 5D992.c
    AUTHORIZATION TYPE: MMKT
    ITEM TYPE: Mobility and mobile applications n.e.s.
    SUBMITTER NAME: Tom Smith
    TELEPHONE NUMBER: (222) 123-4567
    E-MAIL ADDRESS: [email protected]
    MAILING ADDRESS: 123 Smith St. Washington DC 22032
    NON-U.S. COMPONENTS: N/A
    NON-U.S. MANUFACTURING LOCATIONS: N/A
    https://www.bis.doc.gov/index.php/component/docman/?task=doc_download&gid=1675
    

    View Slide

20. Report Example
    PRODUCT NAME: Awesome App!
    MODEL NUMBER: 1.10.2
    MANUFACTURER: SELF / Tom Smith Inc.
    ECCN: 5D992.c
    AUTHORIZATION TYPE: MMKT
    ITEM TYPE: Mobility and mobile applications n.e.s.
    SUBMITTER NAME: Tom Smith
    TELEPHONE NUMBER: (222) 123-4567
    E-MAIL ADDRESS: [email protected]
    MAILING ADDRESS: 123 Smith St. Washington DC 22032
    NON-U.S. COMPONENTS: N/A
    NON-U.S. MANUFACTURING LOCATIONS: N/A
    https://www.bis.doc.gov/index.php/component/docman/?task=doc_download&gid=1675
    Commonly used values
    Update with your info
    

    View Slide

21. Apple Guide
    Informs you when you submit
    a build.
    Explains export regulations
    in a simple language in
    multiple pages.
    Requires extra review if you
    have custom encryption.
    

    View Slide

22. Apple Guide Google Guide
    Informs you when you submit
    a build.
    Explains export regulations
    in a simple language in
    multiple pages.
    Requires extra review if you
    have custom encryption.
    Single page of “it depends”
    information.
    

    View Slide

23. Useful links
    BIS official guide: https://www.bis.doc.gov/index.php/policy-guidance/
    encryption/4-reports-and-reviews/a-annual-self-classification
    BIS official example: https://www.bis.doc.gov/index.php/component/docman/?
    task=doc_download&gid=1675
    ECFP official instructions: https://www.ecfr.gov/cgi-bin/retrieveECFR?
    gp=1&SID=4150cfbf028e9a85574385383a581f47&h=L&mc=true&n=pt15.2.742&r=PART
    &ty=HTML#ap15.2.742_119.6
    

    View Slide

24. Useful links
    Our experience: https://docs.cossacklabs.com/themis/regulations/us-crypto-
    regulations/
    Apple guide: https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Google guide: https://support.google.com/googleplay/android-developer/
    answer/113770?hl=en
    Wikipedia: https://en.wikipedia.org/wiki/
    Export_of_cryptography_from_the_United_States
    

    View Slide

25. Thank you!
    @julepka
    Photo by Lukas Blazek
    https://unsplash.com/@goumbik
    

    View Slide