Search Unity

  1. Good news ✨ We have more Unite Now videos available for you to watch on-demand! Come check them out and ask our experts any questions!
    Dismiss Notice

iOS Export Compliance, Crypto, French Encryption Declaration

Discussion in 'iOS and tvOS' started by levwsr, Oct 11, 2018.

  1. levwsr

    levwsr

    Joined:
    Jul 23, 2012
    Posts:
    67
    This sounds really obscure, but will apply to everyone using System.Security.Cryptography in unity. Apple is starting to crack down on developers that are saying "no" to the app submission cryptography questions, and they can revoke your developer status if you continue to do that.

    For example, our REST api calls use System.Security.Cryptography.RijndaelManaged()

    Specifically, French encryption declaration asks if your app contains:
    1. Any encryption algorithm that is yet to be standardized by international standard bodies such as IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, etc. or not otherwise published; or
    2. Standard (e.g., AES, DES, 3DES, RSA) encryption algorithm(s) instead of or in addition to accessing or using the encryption in iOS and/or Mac OS X
    Therefore, we all need to know how Unity has implemented the System.Security.Cryptography class on iOS, and if it is a call to native OS methods (which would save us ALL a lot of headaches).

    The answer to this could also change the code you need to submit your cat 5 part 2 code with:
    https://www.bis.doc.gov/index.php/d.../1652-cat-5-part-2-quick-reference-guide/file

    Can someone from unity please clarify?

    Thanks
     
  2. levwsr

    levwsr

    Joined:
    Jul 23, 2012
    Posts:
    67
    Actually, we also need to know what Unity internal systems are using. For example, calls to unity analytics and to receipt processing might call crypto classes inside unity.. are those using underlying system crypto calls, or would that fall under clause 2 above?
    If its the latter, we would need to know exactly whats being called (AES, RSA etc) and when/by what.
     
  3. eriQue

    eriQue

    Unity Technologies

    Joined:
    May 25, 2010
    Posts:
    595
    System.Security.Cryptography is either a managed implementation (Mono class libs), or plumbed through to mbedTLS or OpenSSL.

    mbedTLS and OpenSSL implement AES, DES, 3DES, RSA and the handshake/key exchange mechanisms.
    The source for mbedTLS and OpenSSL is available on GitHub (along with our fork of Mono).

    Example :

    mbedTLS is used on the majority of Unity supported platforms (including iOS).
    OpenSSL is used on macOS, Windows, Linux and UWP.
    WebGL has no support for these things, except through UWR (see below).

    IL2CPP does not have any implementation on its own.

    UnityWebRequest (UWR) uses either
    • Our fork of cURL; either backed by mbedTLS or OpenSSL
    • System cURL or some other kind of system level transport handler
      (the system provides the implementation)
    Unity Analytics is using UnityWebRequest (see above)
     
    Last edited: Oct 16, 2018
unityunity