When submitting an app to the iOS App Store, one is required to declare whether the app “contains encryption” (and, as I understand, go through additional administrative hurdles).
Does anyone know of any guidance on what precisely is covered by the term “encryption” in this context?
Are they referring to:
- specifically cryptographically secure encryption schemes (AES, RSA etc);
- OR, any scheme or method that might in everyday parlance be referred to as ‘encryption’, or a variant of a standard scheme that is cryptographically weak?
Specifically, I was intending to use some weak scheme to protect some of the app’s assets against a casual hacker, e.g. by XORing the data from the file with a string of bytes generated from a (non-cryptographic) random number generator. If you like, it would be a “one time pad”, but where the key isn’t actually cryptographically random: just random enough so that somebody looking to steal the data would need to go to a small amount of effort beyond ‘just copying the data out of the file’.
So, for the purposes of the declaration, would this count as using “encryption” even though it’s not actually a cryptographically secure form of encryption? What I’m doing is common enough practice that I’m guessing other developers have submitted apps using such a procedure: did you have to declare the app as using encryption?
(The iTunes Connect Guide, for example, doesn’t give any further specification on this matter.)
This flow chart will probably help you get on the right track. It indicates that if the encryption is limited to copyright protection / intellectual property then it is exempt from the review. I got to this flow chart from the BIS homepage. That page is referenced by the FAQ entitled World Wide Trade Compliance for the App Store in iTunes connect which states you can claim exemption:
Hope this helps clear things up a bit.
EDIT Another interesting section is this, you can claim exemption if: