Crypted key in App Store

Im close to finish a “Do you want to become a millionare” app and my customer who ordered the app want the app to generate a crypted key from the customers device/ and mailaddress and post it by email to him.

This is not a big problem to make but what Im concerned about is Apple´s standpoint regarding apps and crypted keys. (I have been advised not to do this because AppStore have verrrrry strict rules and its very hard to get this approved)

Now I have made my own cryptic-like generator but its not very safe

I didnt find anyone who made something like this on GitHub and other places so I made one from scratch and the question base is just a class file with a table and some plain function for marking used questions.

It also contain 3 buttons (like call a friend and so on)

Cheering is random picked from a base of sounds so it doesn´t get too static. Now it is written in Norwegian so I have to rewrite some of it…LOL…Not too many of us out there

I will post it on Corona´s exchange code place so more people can use it.

I’m not sure why you need to do this.  Does your client need to unpack the data after getting it or is he just wanting some unique identifier for teach user?

Ok Rob, I must admit that I´m in general just curious about AppStore and their praxis towards the crypto lib in the Corona API

Guess in this particular case I can settle with just a low level form of security. But what if I had to use some level of encryption?

Now I use a global var I declare in the main file called _CryptoCode={some digits only my customer know} and mix this in a mailSender file like:

function sendMe(event)

   if event.phase == “began” then

    local options = {

        to = “henrruud@online.no”,

        subject = “I made it!”,

        body = fName.text … ", " … lName.text … ", " … post.text … ", " … postAddress.text … ", " … eMail.text… ", " … _CryptoCode …lName.text }

        native.showPopup(“mail”, options )

    elseif event.phase == “ended” or event.phase == “cancelled” then

        redirectMe()

    end            

end

Guess this will work because the user will never se the global variable and he/she will fill out the form and post it together with the invisible “key”

This way I dont have to submit the app with crypto.hmac content

I don’t think Apple really cares one way of the other.  However, they are going to be sticklers that you get the proper export documents lined up if you use cryptology.  When you submit your app they ask you if you’re using it and you have to get the proper export compliance documents from your local government.  Dealing with the government on this has completely made me avoid any encryption in my apps.

SSL (https requests) and Base64 encoding don’t require the export compliance, and I don’t think MD5 hashes of strings does either but anything else (okay well ROT13 probably doesn’t need it either) will need approval from the Feds.

So if I use MD5 I´m ok? (Thats more than enough in my case)

I still have to check the “using cryptology” checkbox right?

Everything I’ve read says MD5 is not encryption since it can’t be decrypted.  It’s a Hashing method, so I would probably say it’s okay. Also if it’s just being used for authentication (a broad category), those don’t need export compliance.

Thanks for good answer Rob

What if the scenario is:

I make an app that generates a crypted key based on some vars in my app and send this as a msg body in a mail to my customer

Then I make a decrypt app only for my customer so that he can verify that its not some sort of fraud

(encrypt and decrypt)

This is, of course just because I´m curious by nature

Now you are encrypting and will have to get export compliance.

Ok, Rob

This is nice to know where the limit goes

Thanks for taking your time and answering me so fast

The force is strong with this staff member!

I’m not sure why you need to do this.  Does your client need to unpack the data after getting it or is he just wanting some unique identifier for teach user?

Ok Rob, I must admit that I´m in general just curious about AppStore and their praxis towards the crypto lib in the Corona API

Guess in this particular case I can settle with just a low level form of security. But what if I had to use some level of encryption?

Now I use a global var I declare in the main file called _CryptoCode={some digits only my customer know} and mix this in a mailSender file like:

function sendMe(event)

   if event.phase == “began” then

    local options = {

        to = “henrruud@online.no”,

        subject = “I made it!”,

        body = fName.text … ", " … lName.text … ", " … post.text … ", " … postAddress.text … ", " … eMail.text… ", " … _CryptoCode …lName.text }

        native.showPopup(“mail”, options )

    elseif event.phase == “ended” or event.phase == “cancelled” then

        redirectMe()

    end            

end

Guess this will work because the user will never se the global variable and he/she will fill out the form and post it together with the invisible “key”

This way I dont have to submit the app with crypto.hmac content

I don’t think Apple really cares one way of the other.  However, they are going to be sticklers that you get the proper export documents lined up if you use cryptology.  When you submit your app they ask you if you’re using it and you have to get the proper export compliance documents from your local government.  Dealing with the government on this has completely made me avoid any encryption in my apps.

SSL (https requests) and Base64 encoding don’t require the export compliance, and I don’t think MD5 hashes of strings does either but anything else (okay well ROT13 probably doesn’t need it either) will need approval from the Feds.

So if I use MD5 I´m ok? (Thats more than enough in my case)

I still have to check the “using cryptology” checkbox right?

Everything I’ve read says MD5 is not encryption since it can’t be decrypted.  It’s a Hashing method, so I would probably say it’s okay. Also if it’s just being used for authentication (a broad category), those don’t need export compliance.

Thanks for good answer Rob

What if the scenario is:

I make an app that generates a crypted key based on some vars in my app and send this as a msg body in a mail to my customer

Then I make a decrypt app only for my customer so that he can verify that its not some sort of fraud

(encrypt and decrypt)

This is, of course just because I´m curious by nature

Now you are encrypting and will have to get export compliance.

Ok, Rob

This is nice to know where the limit goes

Thanks for taking your time and answering me so fast

The force is strong with this staff member!