Preparing a Blue Cedar secured app for the Apple App Store
IOS
See the policy console documentation (Securing apps for app store compatibility) for the process to secure iOS apps for Apple App Store compliance. This article provides additional information that is useful during the App Store submission process.
App Store submission
iTunes Connect is a web tool you use to enter information about your app for distribution in the store. Before you submit your app, enter all the required information, described in Viewing and Changing Your App’s Metadata, for your type of app. For descriptions of the metadata, see iTunes Connect Properties.
Export compliance
Because Blue Cedar-protected apps include encryption and security features, answers to the export compliance questions may differ from unprotected versions of the apps. Blue Cedar provides its own implementation of the cryptographic routines used for security features. Both standard Blue Cedar cryptography and FIPS 140-2 level 1 compliant cryptography are compatible with Apple App Store submission.
Apps secured with Blue Cedar technology must comply with local export regulations. Certain uses of encryption are exempt from App Store reporting requirements:
- Apps specially designed for medical end-use
- Apps specially designed and limited for banking use or "money transactions"
- Apps made available only in the U.S. and/or Canada
If your app qualifies for one of the exemptions above, it can be categorized as using export control exempt encryption by including the following key/value pair in the app’s Info.plist file:
<key>ITSAppUsesNonExemptEncryption</key><false/>Blue Cedar technology has not been approved by the App Store submission process for any uses not covered by the following responses. This knowledge base article will be updated as this process changes
When you submit your app, you are prompted with a series of questions regarding the app’s use of cryptography. These questions appear in the iTunes Connect web interface when new iOS documentation is added under My Apps > (Your App) > Features > Encryption. The following table describes the questions, and the responses that Blue Cedar has provided.
Please review Apple’s published Frequently Asked Questions document () to verify that distribution of your app complies with all local export laws after it is secured using Blue Cedar technology.
Use the following table to help you understand the effects of Blue Cedar security on export compliance:
Export compliance question | Blue Cedar answer |
Is your app designed to use cryptography or does it contain or incorporate cryptography? (Select Yes even if your app is only utilizing the encryption available in iOS or macOS.) | Yes |
Does your app meet any of the following:
| Yes. This will limit your app to distribution in the US and Canada unless your app complies with an additional exemption under category 5 part 2. See table below for details. |
Category 5 Part 2 Exemptions | Exemption eligibility | Blue Cedar impact |
Limited to using the encryption within the operating system (iOS or macOS) | NO | Blue Cedar provides its own encryption. Apps using Blue Cedar technology can NOT claim this exemption. |
Limited to making calls over HTTPS | NO | Apps secured using Blue Cedar's Secure Web Stack technology cannot claim this exemption, even if the original app is limited to making HTTPS calls, due to additional cryptography used to secure the app. (Not applicable for Enforce-secured apps.) |
Specially designed for medical end-use | YES | No Blue Cedar impact. You may claim this exemption if your original app meets this criterion. |
Limited to intellectual property and copyright protection | NO | Apps secured using Blue Cedar technology cannot claim this exemption, due to additional cryptography used to secure the app. |
Limited to authentication, digital signature, or the decryption of data or files? | NO | Apps secured using Blue Cedar technology cannot claim this exemption due to use of non-read-only encryption. |
Specially designed and limited for banking use or "money transactions" | YES | No Blue Cedar impact. You may claim this exemption if your original app meets this criterion. |
Limited to "fixed" data compression or coding techniques | NO | Apps secured using Blue Cedar technology cannot claim this exemption, due to additional cryptography used to secure the app. |
For additional guidance on exemptions, see the Apple FAQ.
Required accounts
Please review section 5.1.1 “Data Collection and Storage” in the Apple App Store Review Guidelines document, specifically subsection (ii):
(ii) If your app doesn’t include significant account-based features, let people use it without a log-in. Apps may not require users to enter personal information to function, except when directly relevant to the core functionality of the app or required by law. If your core app functionality is not related to a specific social network (e.g. Facebook, WeChat, Weibo, Twitter, etc.), you must provide access without a login or via another mechanism. Pulling basic profile information, sharing to the social network, or inviting friends to use the app are not considered core app functionality.
Using the Secure Microtunnel policy injects an authentication screen into your app that appears before your app's main screen. The Secure Microtunnel policy is only suitable for apps that already demonstrate significant account-based features according to the guidelines outlined above. If your app does not already have significant account-based features, then it may be rejected by the App Store review process.
App Store testing accounts
Apps that use Secure Microtunnel policies must include sign-in information in the App Review Information portion of the iTunes Connect iOS App information screen. You must provide a valid username and password that can be used to connect to your Blue Cedar Gateway infrastructure, along with instructions to the App Review team on how to connect to the app. Please take into account any changes in user experience that may differ from the original app before integration with Blue Cedar technology.
Local App Authentication
If your app uses Local App Authentication, then the user is prompted to create a secure PIN. Blue Cedar recommends mentioning that sequence is not a server-side account creation step, to avoid any confusion with interpretation of the App Store Review Guidelines section 5.1.1 (ii).
Advertising ID
iOS apps that are secured with “Enable App Store Compatibility” do not use the advertising ID in any way. During app submission you are prompted to affirm that your app (and any included frameworks) does not use the iOS advertising ID for any purposes other than those detailed in Apple guidelines. See The Advertising Identifier (Apple doc) for more detail. Please note that when “Enable App Store Compatibility” is unchecked, the Blue Cedar injectable does use the advertising ID as part of a unique identifier due to backwards compatibility concerns. If a secured app is mistakenly submitted to the app store when “Enable App Store Compatibly” disabled, it will be rejected.
App versioning
Applying Blue Cedar technology can substantially change the behavior of an app. Any change in the version of Blue Cedar injectable or a change in the policy must be treated as a change to the overall app for purposes of App Store submission.
Even if app code does not change, the version number of the app encoded in the Info.plist keys (specifically the values of CFBundleVersion, CFBundleShortVersion) must be updated to upload a new version for distribution through TestFlight or to submit for App Store review. Review Apple Technical Note 2420 for more details on versions and how they interact with the App Store.
Open source licensing
Copyright and license information for open source software used in the Blue Cedar injectable is available from the info screen of a secured app.
To access the Blue Cedar Information screen, launch a secured app. On the Blue Cedar screens that appear before the app itself opens, tap the info circle (labeled i) at the bottom of the screen. The Information screen appears. Tap Licensing to show a list of open source software, then tap the name of any package to view the open source statement.