$30 off During Our Annual Pro Sale. View Details »

Encryption Export Regulations. Why should mobile developers care?

Encryption Export Regulations. Why should mobile developers care?

Julia Mezher

June 10, 2021
Tweet

More Decks by Julia Mezher

Other Decks in Programming

Transcript

  1. Encryption Export Regulations
    Julia Potapenko
    Why should mobile developers care?

    View Slide

  2. Security Software Engineer
    @julepka
    We help companies to protect their
    sensitive and valuable data.

    View Slide

  3. … disclaimer: I am not a lawyer,
    and this is not legal advice …

    View Slide

  4. App Distribution

    View Slide

  5. App Distribution
    App
    App Store
    or
    Google Play
    Upload

    View Slide

  6. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers

    View Slide

  7. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers
    🌍
    Distribute

    View Slide

  8. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers
    🌍
    Distribute = Export

    View Slide

  9. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers
    🌍
    Distribute = Export
    US
    Export
    Regulations.

    View Slide

  10. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers
    🌍
    Distribute = Export
    US Encryption
    Export
    Regulations.

    View Slide

  11. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers
    🌍
    Distribute = Export
    US Encryption
    Export
    Regulations.
    Import

    View Slide

  12. Do I have encryption in my app?

    View Slide

  13. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.

    View Slide

  14. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.
    Less headache

    View Slide

  15. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.
    More headache
    Less headache

    View Slide

  16. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.
    More headache
    Less headache
    File and send a required report

    View Slide

  17. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.
    More headache
    Less headache
    File and send a required report
    You’ll need legal help

    View Slide

  18. Annual self-classification report
    How? – Send the report as an attachment to BIS and ENC emails
    What? – A specific CSV-formatted file
    Where? – See the official website for correct emails
    When? – No later than Feb 1 of the following year
    https://www.bis.doc.gov/index.php/policy-guidance/encryption/4-reports-and-reviews/a-annual-self-classification

    View Slide

  19. Report Example
    PRODUCT NAME: Awesome App!
    MODEL NUMBER: 1.10.2
    MANUFACTURER: SELF / Tom Smith Inc.
    ECCN: 5D992.c
    AUTHORIZATION TYPE: MMKT
    ITEM TYPE: Mobility and mobile applications n.e.s.
    SUBMITTER NAME: Tom Smith
    TELEPHONE NUMBER: (222) 123-4567
    E-MAIL ADDRESS: [email protected]
    MAILING ADDRESS: 123 Smith St. Washington DC 22032
    NON-U.S. COMPONENTS: N/A
    NON-U.S. MANUFACTURING LOCATIONS: N/A
    https://www.bis.doc.gov/index.php/component/docman/?task=doc_download&gid=1675

    View Slide

  20. Report Example
    PRODUCT NAME: Awesome App!
    MODEL NUMBER: 1.10.2
    MANUFACTURER: SELF / Tom Smith Inc.
    ECCN: 5D992.c
    AUTHORIZATION TYPE: MMKT
    ITEM TYPE: Mobility and mobile applications n.e.s.
    SUBMITTER NAME: Tom Smith
    TELEPHONE NUMBER: (222) 123-4567
    E-MAIL ADDRESS: [email protected]
    MAILING ADDRESS: 123 Smith St. Washington DC 22032
    NON-U.S. COMPONENTS: N/A
    NON-U.S. MANUFACTURING LOCATIONS: N/A
    https://www.bis.doc.gov/index.php/component/docman/?task=doc_download&gid=1675
    Commonly used values
    Update with your info

    View Slide

  21. Apple Guide
    Informs you when you submit
    a build.
    Explains export regulations
    in a simple language in
    multiple pages.
    Requires extra review if you
    have custom encryption.

    View Slide

  22. Apple Guide Google Guide
    Informs you when you submit
    a build.
    Explains export regulations
    in a simple language in
    multiple pages.
    Requires extra review if you
    have custom encryption.
    Single page of “it depends”
    information.

    View Slide

  23. Useful links
    BIS official guide: https://www.bis.doc.gov/index.php/policy-guidance/
    encryption/4-reports-and-reviews/a-annual-self-classification
    BIS official example: https://www.bis.doc.gov/index.php/component/docman/?
    task=doc_download&gid=1675
    ECFP official instructions: https://www.ecfr.gov/cgi-bin/retrieveECFR?
    gp=1&SID=4150cfbf028e9a85574385383a581f47&h=L&mc=true&n=pt15.2.742&r=PART
    &ty=HTML#ap15.2.742_119.6

    View Slide

  24. Useful links
    Our experience: https://docs.cossacklabs.com/themis/regulations/us-crypto-
    regulations/
    Apple guide: https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Google guide: https://support.google.com/googleplay/android-developer/
    answer/113770?hl=en
    Wikipedia: https://en.wikipedia.org/wiki/
    Export_of_cryptography_from_the_United_States

    View Slide

  25. Thank you!
    @julepka
    Photo by Lukas Blazek
    https://unsplash.com/@goumbik

    View Slide