iTune Connect: Export Compliance [duplicate] - app-store-connect

I making a new app and want to submit to app store.
But at the time of final submission
there is check for Export Compliance.
What should I Check Yes Or No.
I use https url in my app.
Please Help Me .
Thanks In Advance.

When you know that you ARE export compliant you can put this in your Info.plist:
<key>ITSAppUsesNonExemptEncryption</key>
<false/>
This will prevent App Store Connect from asking you questions about export compliance.

If you are using https in your application, you will need to answer yes to this question, even if all you are using is built in mechanisms to communicate over https. The good news is that you no longer need to get the Encryption Registration Number (ERN) - the current requirements (as of August 2017) are that you just need to submit the annual self classification report to the BIS(Bureau of Industry and Security). To submit a self classification report, follow the instructions on item 13 in this FAQ: A sample Self Classification report can be found here.
For a great write up that talks about both sides of the story (apps that only use common / freely available encryption, like SSL, as well as apps that have their own, proprietary encryption, see this Medium post.
Please don't listen to other people who state that they just answer no to this question to make things easier when submitting an app.

As of February 2018 this is the process to file an Annual Self Classification Report to BIS (Bureau of Industry and Security):
https://www.bis.doc.gov/index.php/policy-guidance/product-guidance/high-performance-computers/223-new-encryption/1238-how-to-file-an-annual-self-classification-report

To get a ECCN (Export Control Classification Number) for a HTTPS mass market iOS app follow, these steps.
Download the quick reference guide to classify your app.
https://www.bis.doc.gov/index.php/documents/new-encryption/1652-cat-5-part-2-quick-reference-guide/file
For a basic HTTPS iOS app used to securely access a webpage or transfer a file use
5D992 which is Information Security” “software” not controlled by 5D002.
If your app contains more encryption functionality, then reference the policy guide. https://www.bis.doc.gov/index.php/policy-guidance/encryption
Might not be what you want to hear, but you will need to review the policy and correctly categorize the app and get the correct ECCN.
Now go to the SNAP-R form. https://snapr.bis.doc.gov/snapr/
To get to the form from the BIS homepage.
https://www.bis.doc.gov/index.php
Then select Licensing -> Simplified Network Application Process Redesign (SNAP-R)
Register Online for a SNAP-R account.
https://snapr.bis.doc.gov/registration/Register.do
The Bureau of Industy and Security will return a CIN application ID quickly via email.
Return to the main SNAP-R page with the CIN issued number and login.
Select "Create Work Item "
The Type will be "Commodity Classification Request"
Reference number is 7 digits. I used my phone number.
Create
Fill in Contact Information.
Leave License Information Blank
Fill in Company Designation any info missing. When you created the CIN this info was requested.
Other Party can be left blank.
Now for each app you want to register, fill in a Export Item and press Add Export Item. Multiple apps can be submitted on the same request.
ECCN will be 5D992
APP can be left blank. It is the Adjusted Peak Performance"("APP") which for a commodity iOS app is not required.
Product/Model is the name of the app in the App Store.
CCATS can be left blank.
Manufacturer is your company name.
Technical Description - briefly describe the apps function and how HTTPS is leverage. Keep it simple. They are interested if the app is a security risk and how encryption is used.
example:
AppName is distributed as an Apple iOS App. It uses HTTPS to download/upload daily updates to and from xxxx. The download is used to generate a table. An In-App .99 cent purchase expands the table results to include xxxx.
Additional information explains in more detail how HTTPS has been implemented.
The HTTPS file transfer is a URLSession data transfer task found in the Apple Foundation library. The iPhone automatically performs the download of the published data in csv file format, using the HTTPS protocol for a secure transfer.
Make sure you saved all your drafts. Check for errors. Then submit.
The turnaround is pretty fast. Mine took around an hour. But I am sure it varies.
The other option is once a year you can submit an Annual Self Classification Report. But if you have a SNAP-R CCATS number you are not required to submit a Annual Self Classification Report.
https://www.bis.doc.gov/index.php/policy-guidance/encryption/4-reports-and-reviews/a-annual-self-classification
This is very simple. Download the sample csv file. Delete out the sample data leaving the headings. The heading are required. Fill in the columns. The column Authorization Type is MMKT. Item type Other: HTTPS File Transfer. Save the file and submit.
The BIS SNAP-R hotline [202-482-4811 DC, 949-660-0144 CA] and the Encryption Hotline for the annual submission [202-482-0707] are both very helpful. Last point, the BIS has helpful set of YouTube video.
https://www.bis.doc.gov/index.php/online-training-room
Hope this helps.

From Complying with Encryption Export Regulations: Declare Your App’s Use of Encryption:
Typically, the use of encryption that’s built into the operating system—for example, when your app makes HTTPS connections using URLSession—is exempt from export documentation upload requirements, whereas the use of proprietary encryption is not. To determine whether your use of encryption is considered exempt, see Determine your export compliance requirements.
So Apple says that for usual HTTPS scenarios, you do not need to upload export documentation for your app.

Related

How do I programatically download bank of America transactions?

I use quicken, which can automatically download bank of America transactions. However, it truncates all the payees so I lose data. I'd like to work around this and I'm thinking of downloading the transaction data and generating my own QFX file with the full payee info.
Is there a way that I can download transactions programmatically, or download something like a .qif (available on their website) programmatically? For the latter, I could convert the gif to a QFX myself.
If anyone has other ideas to download all of the transaction information without losing the payee info, I would welcome those ideas as well.
Do they provide an api for this? but most probably not for 3p without a contract. since its bank , there must be check for browser etc along with standard sign in so it'll hard for curl. you can have a browser plugin to read all the data from the page and do auto scroll to get new transactions if not fitting in page. it's a hacky solution but good to get what we need as you told that data is available on the page and have to revisit with updates but changes in basic structure is rare.
A quick search for bank of america api yielded this BofA API. They even have many options for types of payment information you could query here as well as lots of individual account types that you can access it as.
It looks pretty comprehensive. If you don't see what you are looking for there I put another option below, just in case.
I don't use BofA. So I can't speak to what they have natively available. But you could always use a bot to scrape it if they present it anywhere in the User Interface.
I would agree with Meena that you should not be able to use curl. But selenium uses a browser to programmatically do just about anything that you would want to do with any website. They also have bindings for many languages. So you could just pick your favorite and go to town...
It seems the API will return a JSON so you may need to find a tool to convert that to a qif or qfx if that part is important. After digging further, I can't test this without having a CashPro account but it seems what you need to do is...
Step 1:
Get an access token from here. You'll need to send this in the header of any requests
Step 2:
Send an http request with a header in the following format:
{
"accounts": [
{
"accountNumber": "xxxxxxx",
"bankId": "xxxxxxx"
}
],
"fromDate": "yyyy-mm-dd",
"toDate": "yyyy-mm-dd"
}
to https://developer.bankofamerica.com/cashpro/reporting/v1/transaction-inquiries/previous-day
Step 3:
You should get a JSON as a response
As mentioned, I can't test this but here's the documentation of the specific API endpoint you need

Method to prove authenticity of download files in hindsight

I'm looking for a tool or method to prove the authenticity of resources download from the web and stored locally. To be clear: I don't mean the SHA or MD5 checksums to verify a downloaded file. What I need is a way to download and store a web resource in such a way that I can later prove that said resource indeed originated from that web server.
In particular for the following scenario: A website published an article about a client. He would like to sue for defamation of character. I need a way to store the article without them having the possibility of simply removing it and denying they ever published it. So preferably this would be a tool that is backed by publications making it credible in court.
I have thought about storing the TLS certificate, keys and the encrypted data. That would rely on the root CA, but I think that would in itself not be a problem. I could do this using a custom program and a library like OpenSSL, but I think this is such a common problem, there probably is a relatively standard tool for it. Also, I am not entirely sure to what extent this would constitute reliable evidence. And can someone point to publications that would back this method?
Maybe I am using the wrong search terms, but everything I find is about aforementioned SHA or MD5 checksums. Any help is much appreciated.
If I understand correctly you need something like signature with timestamp. Yes?
You not only need checksum from document (article, text value, whatever) but also proof that this article really existed in time.
When using digital signature you can store such timestamp in 3rd party certified providers. You sign document and send checksum to 3rd party provider. Later you can ask provider to verify that this exact document is valid & was indeed created at given time.
https://en.wikipedia.org/wiki/Trusted_timestamping
As this can cost (fee for provider to store the timestamps) you can create checksums from many documents (like take all documents from one hour), store all of them in a single file, create checksum from that file and sign it with timestamp. This way you create one timestamp for documents batch, not for each document.

VB.net simple license key to protect application

I working on a simple vb application. But I want to protect it to give the user the option to use it only for a specific time.
So I was thinking to make a text file with a key-code (Beside Random characters, it contains an expire date). When the application is started after this expire date, the application should close automatically.
The location where this textile is location can be the same location where the executable is running from.
Does somebody of you have a good idea how to implement it? Or is there a easier way how to implement this
If you want to give a "Trial period" to your application you might want rather hard-code that to prevent tampering. Then, when purchased make a modification to registry and different files (maybe downloads a few files that "register" the application so that it recognizes itself as "full". To go one step further maybe periodically have the application reach out to your server and verify the license.
This is a huge subject that a lot of smarter people than me can weigh in on. I will note that this is part of a constant battle between developers and hackers trying to get around licensure.
To make software unlocked for some period of time, you can create text file on websites like Pastebin and add them an expiry date. Then make your software check if file is still valid.
Note that users can "track down" requests your software sends, never store your private information linked with your software.
You can also use HWID protection which ensures your software will work only if it matches hardware information stored in encrypted string.
You can hash other user's information like username, wifi name and so on, but remember that changing any of this information (OS, hardware or system information) will create new unique HWID, which may not match the previous one - resulting in failed HWID authorization.
To make bypassing protection harder, you can obfuscate your software.

Are there any API services that allow me to send a Bitcoin transaction with OP_RETURN?

I want to be able to send the minimum amount of Bitcoin required in order to write a 40 byte (roughly 80 character) message via ideally a REST API allowing me to specify a bitcoin wallet private key, the recipient bitcoin address, the fee and the message to attach to the OP_RETURN.
Thank you!
--
I wish Bitcoin allowed you to send coins without having to have an API or daemon - through http somehow would be cool. How would I create a raw transaction with a OP_RETURN in it to push to an API /tx/push using php and curl?
There are more options as the OP_RETURN protocol is so simple but here are the ones I recommend:
1. Blockcypher
Blockcypher API has a Data endpoint to write op return transaction but you need to register an API token with them so it's not completely under your control (they can ban your token), it supports only 40 bytes not 80 (well 75 in reality) but it's free, which is awesome!
Check it out (mainchain):
https://www.blockcypher.com/dev/bitcoin/#data-endpoint
Example from their doc (curl):
# Embedding String Data
curl -d '{"data":"I am the walrus", "encoding":"string"}' https://api.blockcypher.com/v1/btc/main/txs/data?token=YOURTOKEN
{
"data": "I am the walrus",
"encoding": "string",
"token": "YOURTOKEN",
"hash": "cb6974e0fd57c91b70403e85ef48c840eecdca4804dfc4897b1321d5328e4f18"
}
2. BlockchainPen
If you're searching for an APP (maybe to test quickly) or to get some open source code and modify it to your needs there's BlockchainPen:
http://blockchainpen.com
This is not an API service but more a webapp. It has a client-side browser wallet where you can load some funds (1mbtc?) and write op-return messages.
Click on the address to get a QR for loading funds quickly from a mobile wallet - The UI is very basic, you need to refresh the page to see the updated balance - The funds are yours, you can export your private key at any time (check the link at the bottom of the page).
The code is open source so you could import and use the Pen class (coffeescript or js version) in your programs to write transaction via nodejs: https://github.com/makevoid/blockchain-pen/blob/master/pen.coffee
Or with something like phantomJS, selenium/webdriver or some other browser automation tool you could use the deployed version but I think it will not be clean.
There are two currently open source implementation of blockchain-pen:
1: https://github.com/makevoid/blockchain-pen (latest)
2: https://github.com/makevoid/blockchain_pen (old repo - js / ruby opal)
You can also change the fee depending on your needs, the default one is 0.1mbtc, on http://prio.blockchainpen.com (priority) is 0.3mbtc.
(p.s. disclamer: I'm the developer behind this, feel free to fork/improve the project, a new and simpler version will be released in 2017)
You can use http://www.stamping.io you can anchored a transaction in Bitcoin & Ethereum in the same time. Try it!

Using JSON to update app's content in iOS

I'm about to create an application that uses JSON to update its content.
This is how I planned it to work:
When application starts, it checks (with internet connection is available) if the JSON file set on remote server is newer than the one stored localy - if it is then it's downloaded.
Then, the application applies data from that JSON to the content. For example, to the "Contact" information - it applies data like phone numbers etc.
My question is, is it in your opinion, a good technique to update appliactions content?
Does anynone had an experience with building app with this kind of idea?
Best regards,
Zin
Of course you can do this. One thing that may lead to a better user experience would be to ask the user for his permission to download new content (if there is something new).
This is a normal thing to do. I have a phonebook app that does exactly this. On a side note, if you need a network class to handle the web-service interaction, see this SO post. I wrote a custom network class that works with AFNetworking.