0

I have developed a mobile app and would like to deploy it to Apples App Store. However, before I do so, I need to state if my app uses encryption or not.

enter image description here

Before I submit this I would just like to get some advise please.

I do look at my app in Chrome's Developer Tools, and check all network traffic. All requests are http and none are https. Except I do use Firebase-Authentication, and it uses https.

e.g.

Request URL:https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=XXXXXXXXXXXXXXXXXX

Question

Does this mean my app does use encryption?

Excuse me if this is an obvious question, but I am a little confused because I am making use of a Firebase-Authentication service that makes https calls. My api doesn't make the calls, rather a 3rd party api my app uses does.

UPDATE

It looks like I am making use of encryption due to Firebase Auth, but due to the fact that I only use encryption for authentication I qualify for exemption:

enter image description here

Still confused... If I qualify for exemption, do I still need to report this to the US Government as stated above by Apple?

The reason I ask ask, is due to this.

Question

Do I still need to report this to the US Government? Are there any other app developers out there who have been through this process? How do you report this to the US Government?

Thanks

Richard
  • 8,193
  • 28
  • 107
  • 228
  • Sounds like your app uses encryption. Did you click the "learn more" link and see what it says? – khelwood Jun 22 '17 at 08:52
  • This is the Learn More link. It doesn't seem to be very clear: https://www.bis.doc.gov/informationsecurity2016-updates – Richard Jun 22 '17 at 08:54
  • I have also read here that reporting encryption is no longer required. But then why is Apple asking for this info and stating that it needs to be reported to the US Government? http://stackoverflow.com/a/40391664/776167 and https://stackoverflow.com/questions/2135081/does-my-application-contain-encryption/40919650#40919650 – Richard Jun 22 '17 at 08:55
  • And you *should switch* to HTTPS. It provides massive benefits for relatively little cost. – chrylis -cautiouslyoptimistic- Jun 22 '17 at 09:08
  • @chrylis thank you, good advise. However, my issue is I am on a tight budget, and I host my server on AWS. In order to introduce `https`, you need to use AWS Load Balancing, can't be done on a normal free-tier server unfortunately. – Richard Jun 22 '17 at 09:13
  • @Richard Assuming you're using EC2, that's not true. – Aehmlo Jun 22 '17 at 09:21
  • @Aehmlo, I have read that a Load Balancer is requires for https on AWS. Glad to hear it's not the case. I am using AWS Elastic Beanstalk running a Tomcat Server with RESTful Java services. Do you have any links to material on how I can implement https? – Richard Jun 22 '17 at 09:26
  • https://melo.myds.me/wordpress/lets-encrypt-for-tomcat-7-on-ds/ – chrylis -cautiouslyoptimistic- Jun 22 '17 at 09:28
  • Thank you, appreciate the help. I also found the following. http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance.html – Richard Jun 22 '17 at 09:35
  • Your app use encryption according to that definition. Also, I thought I read somewhere that the app store will soon reject any app that makes http connections: they all have to be https. – President James K. Polk Jun 22 '17 at 13:51

0 Answers0