PDA

View Full Version : Submitting applications that contain encryption algorithms




miniConvert
Mar 6, 2009, 09:36 AM
Has anyone submitted an iPhone application that includes public key and/or 3DES encryption?

If so, did you have to take any additional steps or get any kind of certification before submitted the application to Apple?

I'm in the UK, if that makes a difference. TYIA for any help!
:apple:



jnic
Mar 6, 2009, 09:52 AM
Has anyone submitted an iPhone application that includes public key and/or 3DES encryption?

If so, did you have to take any additional steps or get any kind of certification before submitted the application to Apple?

I'm in the UK, if that makes a difference. TYIA for any help!
:apple:

The CommonCrypto library supports RSA (http://developer.apple.com/iphone/library/documentation/Security/Reference/certifkeytrustservices/Reference/reference.html#//apple_ref/c/func/SecKeyGeneratePair) and SSL (presumably implemented with AES but haven't played with it to confirm).

The bigger issue is export restrictions; there's a tick box when you go to submit regarding encryption, I've never followed it but I imagine it offers more detail on forms, etc.

miniConvert
Mar 6, 2009, 09:55 AM
Thanks, yes it's the export restrictions I'm curious about.

Anyone who has experience of this, your input would be greatly appreciated. What hoops, if any, did you have to jump through?

NewsTrader
Mar 6, 2009, 11:04 AM
Thanks, yes it's the export restrictions I'm curious about.

Anyone who has experience of this, your input would be greatly appreciated. What hoops, if any, did you have to jump through?

yes. essentially it breaks down like this.

if you are using 1-way encryption known as hashing you are fine. ie. SHA, MD5, etc.

If you use two-way encryption then you are either:
using it for the purpose of authentication (i.e PKI type) or doing the full authentication + encryption scheme

Both are the those two radio boxes when submitting an application.

I personally avoided the whole fiasco and dealing with the US state dept. so i created a equivalent strength security protocol for the purposes of authentication against a server from an iPhone endpoint by using only 1-way encryption. it is mathematically almost equivalent to a PKI strengths minus some assumptions.

I did not need to encrypt data after authentication since it was not sensitive and using 2-way encryption for authentication was more hassle, certificates, etc. no point. these are consumer grade products.

J

miniConvert
Mar 13, 2009, 08:47 AM
Anyone who has actually gone through the process of successfully submitting an application containing public key and/or 3DES encryption?

Details of your experience would be greatly appreciated. As I mentioned previously, I'm submitting to Apple from the UK.

miniConvert
Mar 23, 2009, 08:10 AM
No one with actual experience of the process?

I appreciate that for many (!) of the applications in the App Store the idea of encryption is highly irrelevant.

FWIW, I've requested credentials to access SNAP-R by fax as instructed but heard nothing back as yet.