One of the questions Apple ask regarding iOS apps is "Does your app provide end-to-end encryption?"
But without defining exactly what they mean by end-to-end encryption specifically.
Isn't HTTPS basically etee? Therefore any app that contacts a server using https provides end-to-end encryption?
Or does the question mean something additional above and beyond https?
Do you call any crypto API, as CryptoKit ?
I understand this as "Does the app provide its own end to end encryption". https is not of my own.
The app sends/receives payloads from a server, these payloads themselves are not encrypted (beyond https), however the http header contain a custom field with a JWT (so the server can verify the app is who it says it is). This JWT contains a SHA256 hash.
As this is just a small thing and not really a part of the actual send/received payloads, I'm unsure if the answer should be yes or not.
In such a case, I would declare using encryption.
You can probably contact support to double check.
these payloads themselves are not encrypted (beyond https)
But https is encryption!
however the http header contain a custom field with a JWT (so the server can verify the app is who it says it is). This JWT contains a SHA256 hash.
That sounds like a digital signature, not encryption.
exactly what they mean by end-to-end encryption specifically.
To me "end-to-end encryption" means, in an architecture where you have users and servers, the data is encrypted by the sending user, passed to the server which cannot decrypt it, and then to the receiving user, who decrypts it.
This may or may not be what Apple means.
But https is encryption!
Hence this question. Is that what they are asking, or something else.
Xcode/iOS knows if an app is using http rather than https (try using http and you'll get errors etc.), so if it can detect it, why ask if you are using it. Therefore the question presumably means something other than https.
Therefore the question presumably means something other than https.
But HTTPS is unlikely to be end-to-end. Most likely, it is only encryption between the app and your server.
If you use end-to-end encryption in any form, you will want to select “yes” there.
This includes using HTTPS, TLS, and even that clever custom digitally-encrypted smoke signals scheme.
HTTPS is fundamentally end-to-end encryption.
Your encryption usage may well be exempt from needing documentation, as is the case with many apps, and particularly those using built-in Apple encryption support. You may well have to document that encrypted smoke signal implementation for export, though.
If you are even remotely unclear or unsure about this, check with organization’s export-control legal contacts. Or get some.
Some related reading:
https://developer.apple.com/documentation/security/complying-with-encryption-export-regulations
https://stackoverflow.com/questions/58792758/how-to-determine-if-my-app-contains-encryption
HTTPS is fundamentally end-to-end encryption.
No, it's point-to-point encryption. Huh?