Preparing a Blue Cedar secured app for the Apple App Store

IOS

See the policy console documentation (Securing apps for app store compatibility) for the process to secure iOS apps for Apple App Store compliance. This article provides additional information that is useful during the App Store submission process.

App Store submission

iTunes Connect is a web tool you use to enter information about your app for distribution in the store. Before you submit your app, enter all the required information, described in Viewing and Changing Your App’s Metadata, for your type of app. For descriptions of the metadata, see iTunes Connect Properties

Export compliance

Because Blue Cedar-protected apps include encryption and security features, answers to the export compliance questions may differ from unprotected versions of the apps. Blue Cedar provides its own implementation of the cryptographic routines used for security features. Both standard Blue Cedar cryptography and FIPS 140-2 level 1 compliant cryptography are compatible with Apple App Store submission.

Apps secured with Blue Cedar technology must comply with local export regulations. Certain uses of encryption are exempt from App Store reporting requirements:

  • Apps specially designed for medical end-use
  • Apps specially designed and limited for banking use or "money transactions"
  • Apps made available only in the U.S. and/or Canada

If your app qualifies for one of the exemptions above, it can be categorized as using export control exempt encryption by including the following key/value pair in the app’s Info.plist file:

<key>ITSAppUsesNonExemptEncryption</key><false/>


Blue Cedar technology has not been approved by the App Store submission process for any uses not covered by the following responses. This knowledge base article will be updated as this process changes

When you submit your app, you are prompted with a series of questions regarding the app’s use of cryptography. These questions appear in the iTunes Connect web interface when new iOS documentation is added under My Apps > (Your App) > Features > Encryption. The following table describes the questions, and the responses that Blue Cedar has provided.

Please review Apple’s published Frequently Asked Questions document () to verify that distribution of your app complies with all local export laws after it is secured using Blue Cedar technology.

Use the following table to help you understand the effects of Blue Cedar security on export compliance:

Export compliance question

Blue Cedar answer

Is your app designed to use cryptography or does it contain or incorporate cryptography? (Select Yes even if your app is only utilizing the encryption available in iOS or macOS.)

Yes

Does your app meet any of the following:

  • Qualifies for one or more exemptions provided under Category 5 Part 2
  • Use of encryption is limited to encryption within the operating system (iOS or macOS)
  • Only makes call(s) over HTTPS
  • App is made available only in the US and/or Canada

Yes. This will limit your app to distribution in the US and Canada unless your app complies with an additional exemption under category 5 part 2. See table below for details.


Category 5 Part 2 Exemptions

Exemption eligibility

Blue Cedar impact

Limited to using the encryption within the operating system (iOS or macOS) 

NO

Blue Cedar provides its own encryption. Apps using Blue Cedar technology can NOT claim this exemption.

Limited to making calls over HTTPS

NO

Apps secured using Blue Cedar's Secure Web Stack technology cannot claim this exemption, even if the original app is limited to making HTTPS calls, due to additional cryptography used to secure the app.

(Not applicable for Enforce-secured apps.)

Specially designed for medical end-use

YES

No Blue Cedar impact. You may claim this exemption if your original app meets this criterion.

Limited to intellectual property and copyright protection

NO

Apps secured using Blue Cedar technology cannot claim this exemption, due to additional cryptography used to secure the app.

Limited to authentication, digital signature, or the decryption of data or files?

NO

Apps secured using Blue Cedar technology cannot claim this exemption due to use of non-read-only encryption.

Specially designed and limited for banking use or "money transactions"

YES

No Blue Cedar impact. You may claim this exemption if your original app meets this criterion.

Limited to "fixed" data compression or coding techniques

 

NO

Apps secured using Blue Cedar technology cannot claim this exemption, due to additional cryptography used to secure the app.

For additional guidance on exemptions, see the Apple FAQ.

Required accounts

Please review section 5.1.1 “Data Collection and Storage” in the Apple App Store Review Guidelines document, specifically subsection (ii):

(ii) If your app doesn’t include significant account-based features, let people use it without a log-in. Apps may not require users to enter personal information to function, except when directly relevant to the core functionality of the app or required by law. If your core app functionality is not related to a specific social network (e.g. Facebook, WeChat, Weibo, Twitter, etc.), you must provide access without a login or via another mechanism. Pulling basic profile information, sharing to the social network, or inviting friends to use the app are not considered core app functionality.

Using the Secure Microtunnel policy injects an authentication screen into your app that appears before your app's main screen. The Secure Microtunnel policy is only suitable for apps that already demonstrate significant account-based features according to the guidelines outlined above. If your app does not already have significant account-based features, then it may be rejected by the App Store review process.

App Store testing accounts

Apps that use Secure Microtunnel policies must include sign-in information in the App Review Information portion of the iTunes Connect iOS App information screen. You must provide a valid username and password that can be used to connect to your Blue Cedar Gateway infrastructure, along with instructions to the App Review team on how to connect to the app. Please take into account any changes in user experience that may differ from the original app before integration with Blue Cedar technology.

Local App Authentication

If your app uses Local App Authentication, then the user is prompted to create a secure PIN. Blue Cedar recommends mentioning that sequence is not a server-side account creation step, to avoid any confusion with interpretation of the App Store Review Guidelines section 5.1.1 (ii).

Advertising ID

iOS apps that are secured with “Enable App Store Compatibility” do not use the advertising ID in any way. During app submission you are prompted to affirm that your app (and any included frameworks) does not use the iOS advertising ID for any purposes other than those detailed in Apple guidelines. See The Advertising Identifier (Apple doc) for more detail. Please note that when “Enable App Store Compatibility” is unchecked, the Blue Cedar injectable does use the advertising ID as part of a unique identifier due to backwards compatibility concerns. If a secured app is mistakenly submitted to the app store when “Enable App Store Compatibly” disabled, it will be rejected.

App versioning

Applying Blue Cedar technology can substantially change the behavior of an app. Any change in the version of Blue Cedar injectable or a change in the policy must be treated as a change to the overall app for purposes of App Store submission.

Even if app code does not change, the version number of the app encoded in the Info.plist keys (specifically the values of CFBundleVersion, CFBundleShortVersion) must be updated to upload a new version for distribution through TestFlight or to submit for App Store review. Review Apple Technical Note 2420 for more details on versions and how they interact with the App Store.

Open source licensing

Copyright and license information for open source software used in the Blue Cedar injectable is available from the info screen of a secured app.

To access the Blue Cedar Information screen, launch a secured app. On the Blue Cedar screens that appear before the app itself opens, tap the info circle (labeled i) at the bottom of the screen. The Information screen appears. Tap Licensing to show a list of open source software, then tap the name of any package to view the open source statement.