Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Encryption Export Regulations. Why should mobile developers care?

Julia Potapenko
June 10, 2021
Programming
0
120

Encryption Export Regulations. Why should mobile developers care?

Julia Potapenko

June 10, 2021
Tweet

More Decks by Julia Potapenko

See All by Julia Potapenko
Crypto wallets security: for developers
julep
0
1.8k
React Native Security
julep
0
300
Why can't developers make it secure?
julep
0
260
The Art of Secure Architecture
julep
0
510
Common iOS Vulnerabilities and How to Fix Them
julep
1
1.7k
React Native Security
julep
0
230
Secure Authentication. Are you sure you do it right?
julep
1
590
Making Authentication More Secure
julep
0
310
Touch ID and Face ID. Is It Secure?
julep
1
420

Other Decks in Programming

See All in Programming
CSC308 Lecture 26
javiergs
PRO
0
110
改めて整理するWebアプリのビルド・デプロイの基本【コンテナ編】
os1ma
1
140
Larastan に自作 OSS ライブラリのテストをぶっ壊された話
mpyw
0
110
新社会人でも活躍したい!〜新卒1年目で活躍するためのコツ〜
ogijun2018
1
270
PHP8によるデザインパターン入門 / Introduction to Design Patterns with PHP8
fendo181
1
240
UICollectionView Compositional Layout
usamik26
0
180
がんばらない個人開発
natsumican63
1
120
結合テストの自動化にQAはどうかかわっていったか
nagworld
0
130
DevRel/Japan 2023 - 1つの事業部だけで行う DevRel とは
hcrane
0
290
コルーチンのエラーをテストするためのTips / Tips for testing Kotlin Coroutine errors
tkmnzm
0
150
Recon Slides by Anon_Y0gi
y0gi
0
210
K/NとNSKeyedArchiverと私
ryunen344
0
170

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
451
31k
Typedesign – Prime Four
hannesfritz
34
1.6k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
6
910
Art, The Web, and Tiny UX
lynnandtonic
284
18k
Support Driven Design
roundedbygravity
88
8.9k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
Building Applications with DynamoDB
mza
86
5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
The World Runs on Bad Software
bkeepers
PRO
59
5.8k
Designing with Data
zakiwarfel
91
4.2k

Transcript

  1. Encryption Export Regulations
    Julia Potapenko
    Why should mobile developers care?

    View Slide

  2. Security Software Engineer
    @julepka
    We help companies to protect their
    sensitive and valuable data.

    View Slide

  3. … disclaimer: I am not a lawyer,
    and this is not legal advice …

    View Slide

  4. App Distribution

    View Slide

  5. App Distribution
    App
    App Store
    or
    Google Play
    Upload

    View Slide

  6. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers

    View Slide

  7. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers
    🌍
    Distribute

    View Slide

  8. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers
    🌍
    Distribute = Export

    View Slide

  9. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers
    🌍
    Distribute = Export
    US
    Export
    Regulations.

    View Slide

  10. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers
    🌍
    Distribute = Export
    US Encryption
    Export
    Regulations.

    View Slide

  11. App Distribution
    App
    App Store
    or
    Google Play
    Upload
    🇺🇸
    US Servers
    🌍
    Distribute = Export
    US Encryption
    Export
    Regulations.
    Import

    View Slide

  12. Do I have encryption in my app?

    View Slide

  13. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.

    View Slide

  14. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.
    Less headache

    View Slide

  15. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.
    More headache
    Less headache

    View Slide

  16. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.
    More headache
    Less headache
    File and send a required report

    View Slide

  17. Do I have encryption in my app?
    https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Use of encryption includes, but not limited to:
    • Making calls over secure channels (i.e. HTTPS, SSL, and so on).
    • Using standard encryption algorithms.
    • Using crypto functionality from other sources such as native libraries.
    • Using proprietary or non-standard encryption algorithms.
    More headache
    Less headache
    File and send a required report
    You’ll need legal help

    View Slide

  18. Annual self-classification report
    How? – Send the report as an attachment to BIS and ENC emails
    What? – A specific CSV-formatted file
    Where? – See the official website for correct emails
    When? – No later than Feb 1 of the following year
    https://www.bis.doc.gov/index.php/policy-guidance/encryption/4-reports-and-reviews/a-annual-self-classification

    View Slide

  19. Report Example
    PRODUCT NAME: Awesome App!
    MODEL NUMBER: 1.10.2
    MANUFACTURER: SELF / Tom Smith Inc.
    ECCN: 5D992.c
    AUTHORIZATION TYPE: MMKT
    ITEM TYPE: Mobility and mobile applications n.e.s.
    SUBMITTER NAME: Tom Smith
    TELEPHONE NUMBER: (222) 123-4567
    E-MAIL ADDRESS: [email protected]
    MAILING ADDRESS: 123 Smith St. Washington DC 22032
    NON-U.S. COMPONENTS: N/A
    NON-U.S. MANUFACTURING LOCATIONS: N/A
    https://www.bis.doc.gov/index.php/component/docman/?task=doc_download&gid=1675

    View Slide

  20. Report Example
    PRODUCT NAME: Awesome App!
    MODEL NUMBER: 1.10.2
    MANUFACTURER: SELF / Tom Smith Inc.
    ECCN: 5D992.c
    AUTHORIZATION TYPE: MMKT
    ITEM TYPE: Mobility and mobile applications n.e.s.
    SUBMITTER NAME: Tom Smith
    TELEPHONE NUMBER: (222) 123-4567
    E-MAIL ADDRESS: [email protected]
    MAILING ADDRESS: 123 Smith St. Washington DC 22032
    NON-U.S. COMPONENTS: N/A
    NON-U.S. MANUFACTURING LOCATIONS: N/A
    https://www.bis.doc.gov/index.php/component/docman/?task=doc_download&gid=1675
    Commonly used values
    Update with your info

    View Slide

  21. Apple Guide
    Informs you when you submit
    a build.
    Explains export regulations
    in a simple language in
    multiple pages.
    Requires extra review if you
    have custom encryption.

    View Slide

  22. Apple Guide Google Guide
    Informs you when you submit
    a build.
    Explains export regulations
    in a simple language in
    multiple pages.
    Requires extra review if you
    have custom encryption.
    Single page of “it depends”
    information.

    View Slide

  23. Useful links
    BIS official guide: https://www.bis.doc.gov/index.php/policy-guidance/
    encryption/4-reports-and-reviews/a-annual-self-classification
    BIS official example: https://www.bis.doc.gov/index.php/component/docman/?
    task=doc_download&gid=1675
    ECFP official instructions: https://www.ecfr.gov/cgi-bin/retrieveECFR?
    gp=1&SID=4150cfbf028e9a85574385383a581f47&h=L&mc=true&n=pt15.2.742&r=PART
    &ty=HTML#ap15.2.742_119.6

    View Slide

  24. Useful links
    Our experience: https://docs.cossacklabs.com/themis/regulations/us-crypto-
    regulations/
    Apple guide: https://help.apple.com/app-store-connect/#/dev88f5c7bf9
    Google guide: https://support.google.com/googleplay/android-developer/
    answer/113770?hl=en
    Wikipedia: https://en.wikipedia.org/wiki/
    Export_of_cryptography_from_the_United_States

    View Slide

  25. Thank you!
    @julepka
    Photo by Lukas Blazek
    https://unsplash.com/@goumbik

    View Slide