As an Associate of different 3rd parties, this website earns from qualifying purchases & contains affiliate links: learn more in the footer.

Apple App Encryption Documentation on App Store Connect: Encryption Export Regulations

Hi, Developers. I am Andrey Sirota, Indie Developer of the AR Masker App that Made With Unity Software. Here I just share my experience about submitting App Encryption Documentation to Apple on App Store Connect to meet Encryption Export Regulations.

In AR Masker I use a Unity Asset called “Simple IAP System” (SIS). SIS can use encryption (if you want) to safely store the purchases’ data, as well as any custom data. So, I use encryption, and let’s dive into it.

Unity Asset Store — Download Button

Encryption Export Regulations and Apple

In some cases, when you distribute your App in France, or outside the USA/Canada (due to Apple Servers are located in the U.S.), you need to send App Encryption Documentation to the French or U.S. Government appropriately, regardless of where your legal entity is based.

App Encryption Documentation on App Store Connect

You need to send the documentation before submitting the App for Moderation on App Store Connect: App > General > App Information > App Encryption Documentation.

Apple App Encryption Documentation — App Store Connect — iOS App Moderation

To submit App Encryption Documentation to the moderation, you have to answer 2 questions to determine which documents you need to send:

  1. What type of encryption algorithms does your app implement?
    Answer: Standard encryption algorithms instead of, or in addition to, using or accessing the encryption within Apple’s operating system.
  2. Is your app going to be available for distribution in France?
    Answer: Yes.

France (ANSSI) and Encryption Declaration

In my case, I used encryption and I have to send French Encryption Declaration to “Agence nationale de la sécurité des systèmes d’information” (ANSSI).

In 2020, I sent the declaration directly to ANSSI, and got the next answer in 1 month and 5 days:

Please be informed that the mobile application “AR Masker” is out of the scope of both domestic (decree n°2007-663) & european (Regulation n°2019/2199) regulations.

Consequently, we will not be issuing any document. You may market the aforementioned product without any restriction.

So in 2024, and I can send this declaration on App Store Connect instead of ANSSI.

Here you can download the Encryption Declaration for the Government of France (DÉCLARATION ET DEMANDE D’AUTORISATION D’OPÉRATIONS RELATIVES A UN MOYEN DE CRYPTOLOGIE).

On macOS, this PDF-File of Declaration can be filled with the free version of Adobe Acrobat Reader.

I Filled the Next Sections with such info:

  1. Cochez la case correspondant aux formalités que vous souhaitez effectuer: déclaration et demande d’autorisation de toute opération relative à un moyen de cryptologie.
  2. A.2. Personne physique.
    • Civilité: M.
    • Nom: Sirota
    • Prénoms: Andrey
    • Nationalité: [citizenship country]
    • Adresse:
      • Numéro: [apartment number]
      • Rue: [street & house number]
      • Code postal: [postal code]
      • Ville: [city]
      • Pays: [country]
      • Numéro de téléphone: [phone number]
      • Adresse de courrier électronique: [gmail of App Store Connect]
  3. B.1. Informations générales sur le moyen.
    • Marque de distribution: Andrey Sirota
    • Dénomination du moyen: AR Masker
    • Version: 3.0
    • Référence commerciale: https://armasker.com
    • Date de mise sur le marché: 29/01/24
    • Dénomination d’origine: Simple IAP System
    • Fabricant: FLOBUK e.K.
  4. B.2.1. Classez le moyen dans la ou les catégorie(s) correspondante(s): Logiciel.
  5. B.2.2. Description générale du moyen: My app called “AR Masker” uses 3rd party asset for Secure Data Storing on Mobile Device called “Simple IAP System” by “FLOBUK”.
  6. B.2.3. Indiquez à quelle catégorie se rapporte la fonction principale du moyen: Sécurité de l’information (moyen de chiffrement, bibliothèque cryptographique, etc.)
  7. B.3.1. Description des fonctionnalités cryptographiques du moyen:
    As FLOBUK says:
    “Encryption in “Simple IAP System” is very simple, using a 56 bit key that was entitled and listed for exemptions until Apple’s new security guidelines in 2017. It does not use ATS, nor HTTPS for encryption.”

    My App uses Unity Game Engine and “Simple IAP System” inside itself uses C# namespace called System.Security.Cryptography & class called DESCryptoServiceProvider with CipherMode.ECB and PaddingMode.PKCS7.
  8. B.3.2. Indiquez à quelle(s) catégorie(s) se rapporte(nt) la ou les fonctions
    cryptographiques du moyen:
    Intégrité.
  9. B.3.4. Précisez les algorithmes cryptographiques utilisés et leurs longueurs maximales de clés:
    • Algorithme: DES.
    • Mode: ECB.
    • Taille de clé associée: 56 bit.
    • Fonction: Data Storing on Mobile Device.
  10. E. – Pièces à joindre (cochez les cases correspondant aux pièces que vous avez jointes):
    – brochure technique du moyen de cryptologie (format électronique souhaité).
  11. F. – Attestation:
    • Civilité: M.
    • Nom: Sirota
    • Prénoms: Andrey
    • agissant en qualité de: individual
    • pour le compte de: Andrey Sirota
    • Date: 29/01/24

Moderation Time

I sent the updated declaration on January, 29.
March, 1: My App Encryption Documentation is still in Review.

However, here Apple says about 2 business days.

Throughout February, I contacted with the Encryption Team with the link indicated in the Apple docs (App Setup > Encryption), and later I also contacted with App Review Team from here (Other App Review questions). Every time, they said “wait”, and there was no end to this journey.

Apple App Encryption Documentation — App Store Connect — iOS App Moderation

So, on March, 1, I replied again to both answers from different departments, and in several hours my App Encryption Documentation was approved. I got 3 different answers:

  1. “Your App has now been approved from “Waiting for Export Compliance” status. Please note that it can take anywhere from 1 hour up to 24 hours for the status to change in all of the systems.”
  2. “We had to wait until the ANSSI submission timeframe of one month had passed – which it just did and the app has now been approved.”
  3. “We appreciate your patience. We checked the status of your request and confirmed that it is still under review. We will let you know as soon as we have an update for you.”

So, I guess, that contacting support accelerates the process anyway.

“App Encryption Documentation” section says that docs “Approved”, but “iOS App > Build” section says that “Missing Compliance > Documents Approved” after 24 hours. You need to click on this message and indicate the approved docs.



There is a Workaround to Avoid 1 Month of Waiting: Stop Distributing the App in France, and submit the app without French Encryption Docs.


Specifying your Use of Encryption in Xcode or Unity

To bypass setting up export compliance in App Store Connect every time you upload a new build, you can specify your use of encryption directly in the information property list (Info.plist) in your Xcode project. You need to set 2 Keys with appropriate values:

  • ITSAppUsesNonExemptEncryption: YES (true in Unity for boolean variable in C#).
  • ITSEncryptionExportComplianceCode: [PASTE-YOUR-CODE-AFTER-DOCS-ARE-APPROVED].

Since the information property list in Xcode is cleared every time you build with Unity, you need to specify it in Unity with C#-script that is placed in the Editor folder. This script will set keys and values for you automatically in Xcode project during the building process started in Unity:

/*
=============================================================
Unity Assets by MAKAKA GAMES: https://makaka.org/unity-assets
=============================================================
*/

#if UNITY_IOS

using UnityEditor;
using UnityEditor.Callbacks;
using UnityEditor.iOS.Xcode;

using System.IO;

public class EncryptionPostBuildControl
{
    private const string appUsesNonExemptEncryptionKey =
        "ITSAppUsesNonExemptEncryption";

    private const bool appUsesNonExemptEncryptionValue = true;

    private const string encryptionExportComplianceCodeKey =
        "ITSEncryptionExportComplianceCode";

    private const string encryptionExportComplianceCodeValue =
        "PASTE-YOUR-CODE-AFTER-DOCS-ARE-APPROVED";

    private const string pathToInfoPlist = "/Info.plist";

    [PostProcessBuild(0)]
    public static void OnPostProcessBuild(
        BuildTarget buildTarget, string pathToBuiltProject)
    {
        if (buildTarget == BuildTarget.iOS)
        {
            AddPListValues(pathToBuiltProject);
        }
    }

    // Implement a function to read and write values to the plist file:
    private static void AddPListValues(string pathToBuiltProject)
    {
        // Retrieve the plist file from the Xcode project directory:
        string plistPath = pathToBuiltProject + pathToInfoPlist;

        PlistDocument plistObj = new();

        // Read the values from the plist file:
        plistObj.ReadFromString(File.ReadAllText(plistPath));

        // Set values from the root object:
        PlistElementDict plistRoot = plistObj.root;

        // Set the key-value in the plist:
        plistRoot.SetBoolean(appUsesNonExemptEncryptionKey,
            appUsesNonExemptEncryptionValue);

        plistRoot.SetString(encryptionExportComplianceCodeKey,
            encryptionExportComplianceCodeValue);

        // Save changes to the plist:
        File.WriteAllText(plistPath, plistObj.WriteToString());
    }
}

#endif

Unity Assets

Support for Unity Assets

I am Andrey Sirota, Founder of Makaka Games and full-time Publisher on the Unity Asset Store. First, read the latest docs online. If it didn’t help, get the support.

Related Posts

4 Comments

  1. thanks for your helpful article. I use unity engine and unity ads so how to fill this part.( B.3.4. Précisez les algorithmes cryptographiques utilisés et leurs longueurs maximales de clés: ) do you know how can I find these. thanks again for this work

    1. Hi, Sami. This document states that data collected by the Unity Ads SDK is encrypted in transit. I guess encrypted data is not stored on the device: you can ask Unity Ads Support about it.

      You can also ask ANSSI directly whether you need to fill the declaration or not.

      I am looking forward to receiving answers from all the authorities that will be sent to you here in comments.

  2. Is the signature at the end of the PDF required? Or is there any way to sign it? Looking forward to your reply!

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment moderation is enabled. Your comment may take some time to appear.

Back to top button