iTunes Export Compliance and HTTPS
Hello Guys,
I recently uploaded an app to Appstore and it's still in review process. Meanwhile I came across "Export Compliance" under features in My App. It basically asks me, if I have used any kind of encryption in my application. If used, it asks me to provide Export Compliance Documents.
I haven't used any explicit encryption in my application. But I am calling few web-service calls using https protocol. I know that https protocol sends data encrypted. In this case, do I need to upload Export Compliance documents? Or can set Export Compliance to NO in my iTunes for this app?
Related
BACKGROUND INFO
I have developed an application in R through the shiny package, and deployed it online through the shinyapps.io service.
Among its different functions, the shiny app can send emails (through my personal Google Account) to users if the fill a form. The emails are sent through the functionalities of the gmailr package, and to make it work I had to follow the procedure on the Google Cloud Platform to create a JSON token, configure the OAuth consent screen, and store the credentials I obtain in a folder of my R project. All the steps to this process are reported at the end of this GitHub issue I opened a while ago.
THE PROBLEM
The JSON token I generated on the Google Cloud Platform expires after some days.
After googling around, I noticed that this can happen if my "Application", on Google Cloud, is still in the Testing phase. First question about this statement:
What does it mean when Google refers, on the OAuth screen, as an Application in Testing phase? My application is already online on shinyapps.io, it's already functioning, and when I create a new token it can also send emails correctly (for a while).
In addition, on the Google's OAuth consent screen, I now have the possibility to "publish" such application. If I do that, the status changes as In production, and this message is displayed. Other questions:
What does it mean that the application will be available to everyone with a Google account? My application deployed on shinyapps.io doesn't require any login or any other data from the users, then what is this app they're talking about?
What will happen to users that try to connect to my application?
Are my credentials, as for example the JSON file, safe?
I know that there might be a lot of confusion in this post, but I am relly not an expert in this field, and so I am worried to make some mistakes.
Thanks a lot for your help!
The GMail API, OAuth and all, is typically meant to allow your app to send email on behalf of any user. It seems your use-case is a little different - you only ever need to connect one user: your own.
What does it mean when Google refers, on the OAuth screen, as an **Application in Testing phase? My application is already online on shinyapps.io, it's already functioning, and when I create a new token it can also send emails correctly (for a while).
I think you mostly answered this yourself in your further questions. Google thinks you're building an app that any GMail user can connect to, and so for security reasons, they want to differentiate between a test app and a production app. They don't necessarily know whether or not your app is published on shinyapps.io.
What does it mean that the application will be available to everyone with a Google account? My application deployed on shinyapps.io doesn't require any login or any other data from the users, then what is this app they're talking about?
I alluded to this earlier, but the GMail API is intended for apps that allow any GMail user to connect and manipulate their own email. Imagine a third-party email client, or similar. Again - Google's wording sounds a bit odd wrt your app since it doesn't fit that bill.
What will happen to users that try to connect to my application?
If you don't explicitly host your own server that implements OAuth with Google, then nobody can even try to connect. As long as you don't leak the shared secret from your Google Cloud Platform entry, you're safe.
Are my credentials, as for example the JSON file, safe?
Probably anyone with the JSON file can send email on your behalf. Marking your app as 'in production' will not change the security implications of your JSON file.
Unfortunately, Google has pretty tight security around their APIs nowadays. If you want to mark your app as "in production" you might open up a can of worms regarding "restricted scopes" (sending email counts as restricted). However, since you're using the JSON file instead full OAuth, I'm not sure if this applies to you. To my knowledge, you should be safe to try marking your app as "in production". Worst-case scenario, you might be able to weasel around the strict verification requirements by saying your app is "internal":
Internal Use: The app is used only by people in your Google Workspace or Cloud Identity organization. Note that your app will not be subject to the unverified app screen or the 100-user cap if it's marked as Internal.
I want to setup this app called Http Toolkit and for some reason I have the warning "System Trust Disabled". My android device is not rooted.
This is due to limitations in recent versions of Android. On unrooted devices, it is impossible to install system certificates.
You can still intercept HTTPS traffic using just user certificates, but you will only be able to intercept apps that opt into this by explicitly trusting user certificates. Most apps don't do this, so this is useful for debugging your own apps, but not for reverse engineering other people's.
You have a few options:
You can root your device.
You can use an emulator - any emulator except the official 'Google Play' edition emulators will give you root access.
You can use user certificates only, and modify the app to trust your user certificates either by editing the network security config if it's your own app (instructions here: https://httptoolkit.tech/docs/guides/android/#intercepting-traffic-from-your-own-android-app) or using tools like apk-mitm if not to modify the APK (this can work easily, but not always, so in many cases you'll need to do some manual app modification).
There's a lot more info in the HTTP Toolkit docs here: https://httptoolkit.tech/docs/guides/android/
I've seen similar questions regarding the Export Compliance Information encryption question when uploading an app with App Store Connect, but I'm still looking for a straight answer for my question. I am uploading an iOS app and have to answer the following question:
Export Compliance Information
Does your app use encryption? Select Yes even if your app only uses the standard encryption within Appleās operating system.
My app has a login page that uses email and password credentials to allow users to log in if they are a user in my Firebase Authentication section of my Firebase project. I found that Firebase Authentication uses hashing for user passwords, but my question is does the inherent encryption that is part of Firebase mean I should answer yes? Or should I say no, given that I don't implement any encryption of my own. My project also uses Cloud Firestore to store client data inputted through the app.
Update: I realize encryption and password hashing are two completely separate forms of security, but my question still stands regarding info stored with Cloud Firestore.
The Firebase SDK, which is running in your app, connects to the Firebase servers over HTTPS so your app does use encryption. The encryption used is exempt so you don't need to upload any documentation to App Store Connect, but you do need to submit a year-end self-classification report.
I am building a react native mobile application, and I'm using the expo Google and Apple sign in libraries to provide authentication. Both libraries use firebase to authenticate, but my database is hosted elsewhere (heroku while in development, but probably migrating to digital ocean in the future). How can I protect my API using the access tokens I receive from the Google and Apple sign in utilities on my non-firebase server? All the code samples I've seen use firebase as the backend. I want to make sure that all the API calls are authenticated, and that the proper storing/refreshing techniques are used on the client, while maintaining the "persistent session" UX for users so they don't have to sign in every time they open the application.
I feel like I should know this, and I have a few ideas, but really don't want to get this aspect of the application wrong.
I would like to access the 'Chrome Web Store API' from a Cloud Function.
https://developer.chrome.com/webstore/api_index#Licenses
Why?
We are making a chrome extension, and would like to check to see if a user has purchased the extension (i.e. license) in the web store. The license information is available from the Chrome Web Store API. We could make the request to the Web Store API directly from the extension, but then there is a (uglyish) pop-up for the user requesting permission to access the API on their behalf, which isn't ideal. We want to instead make a Cloud Function endpoint, that when sent the userID, responds with true or a false, depending on whether the user has a valid license. The Cloud Function should be able to get the license data for any user on this URL: (https://www.googleapis.com/chromewebstore/v1.1/licenses/$appID/$userID).
I have tried digging around for examples on how to do this. I think I need the equivalent of the Cloud Function version of the Google API Client Library, that handles authentication via oath2 or a service account.. but even then I don't see a way to set the URL for a GET request.
Much appreciate any pointers or suggestions.