iOS Export Compliance, Crypto, French Encryption Declaration

This sounds really obscure, but will apply to everyone using System.Security.Cryptography in unity. Apple is starting to crack down on developers that are saying "no" to the app submission cryptography questions, and they can revoke your developer status if you continue to do that.

For example, our REST api calls use System.Security.Cryptography.RijndaelManaged()

Specifically, French encryption declaration asks if your app contains:

1. Any encryption algorithm that is yet to be standardized by international standard bodies such as IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, etc. or not otherwise published; or
2. Standard (e.g., AES, DES, 3DES, RSA) encryption algorithm(s) instead of or in addition to accessing or using the encryption in iOS and/or Mac OS X

Therefore, we all need to know how Unity has implemented the System.Security.Cryptography class on iOS, and if it is a call to native OS methods (which would save us ALL a lot of headaches).

The answer to this could also change the code you need to submit your cat 5 part 2 code with:
https://www.bis.doc.gov/index.php/d.../1652-cat-5-part-2-quick-reference-guide/file

Can someone from unity please clarify?

Thanks

 

Actually, we also need to know what Unity internal systems are using. For example, calls to unity analytics and to receipt processing might call crypto classes inside unity.. are those using underlying system crypto calls, or would that fall under clause 2 above?
If its the latter, we would need to know exactly whats being called (AES, RSA etc) and when/by what.

 

So what I need to feel in "Secure Protocol" field in French Declaration if I use IL2CPP?

 

Hi Everyone,

I'm just about to (internal) test flight my first iOS game and am currently trying to understand this aspect of the process.

The IL2CPP game uses System.Security.Cryptography to encrypt local data files (that are generated at runtime). These are not transmitted across the internet.

From how I'm reading things (in the Apple docs and above) my implementation will use mbedTLS which does not use internal OS calls, therefore will need to registered for export compliance?

Fwiw, I am also using Unity Analytics.

Any advice would be much appreciated.

 

Hello!

Please could someone from Unity clarify the above comment re IL2CPP?

I'm taking that as IL2CPP has no specific implementation, therefore uses the platform specific implementations listed above?

So iOS (whether the build is IL2CPP or not) would use mbedTLS?

 

Perhaps the trick is to say yes to the general questions about cryptography and then say no to the more hair-pulling questions about technicalities that only 0.0001% people at Apple could even explain to you properly.

 

Jumping on this thread as we are also currently struggling with the French Encryption Approval.

We've managed to fill in the majority of the French government DÉCLARATION ET DEMANDE D'AUTORISATION D’OPÉRATIONSRELATIVES A UN MOYEN DE CRYPTOLOGIE, although whether we have done it correctly is yet to be known. The problem faced now is that the form is requesting specifics about the encryption used, not just a general comment saying "mbedTLS is used".

The form has a table in section B.3.4 that requires actual technical information about what encryption is used. It asks specifically for a list of algorithms used (e.g. RSA, AES, DES, SHA...), the mode of use (e.g. CBC, CTR, CFB, ..), the size of the key (ex. 256, 512, 2408,..) and the use of the function cryptographic in the product (e.g. encryption of data, sealing of data,.

This is the information we need from Unity, or at the least guidance on how to find this information.

We tried contacting Unity Customer Support, but got a response saying that customer support can not assist with technical questions, and refused to provide anymore help.

 

Also stuck on this France situation so I just removed them from my availability list. I cant see that the headache of sorting this out is worth the money I would be getting from this region. If my app makes it and I want to add France at a later stage (if economically warranted) then Ill pay someone to help me do it.