What do you mean I have to be “properly authorized” to use encryption in my apps?

09-08-2014

This took me by surprise. I remember seeing something while submitting previous apps to iTunes asking if I used encryption in my app but I had not noticed it on Google Play or the Amazon App Store (which there is a checkbox for it, it just hadn’t registered with me since I wasn’t using encryption). I hadn’t needed any sort of encryption until now and that got me asking questions about WHY Apple would want to know this. After digging a bit, I discovered that you have to be “properly authorized” by the  Department of Commerce (DOC) Bureau of Industry and Security (BIS) to use encryption in your app. Personally, I think it just needs to be shortened to BS. It’s only my controlled data and it does not contain any personally identifiable information, so why does the government need to be involved? So, anything that uses technology like HTTPS, DES, AES, etc. falls into this category. However, one way hashes like an MD5 don’t appear to fall into this category because it isn’t meant to be decrypted…I need to get verification on that one. So began my journey of trying to figure out what kind of paperwork was needed to get this going so we could be legit and I could use encryption in my app. I had found some resources online but they were a few years old and a lot of the links were broken. I was seeing acronyms like “SNAP-R”, “ERN” and “CCATS” but had no idea what exactly they meant. So I hit Google with the few leads I had and discovered that I needed to start with the “SNAP-R” system. No idea what that acronym meant so I looked it up; it stands for the “Simplified Network Application Process – Redesign” system…yeah, that really cleared things up. So I started there to try and get registered.

https://snapr.bis.doc.gov/registration/Register.do

Filled out all the information on the page (which wasn’t that much) and submitted it. It then told me that instructions would be sent to the email I specified and I MUST follow them. About 5 minutes later, I got my email and it said they were processing my information and should have it done within 5 business days. Not too horribly bad so far. I still don’t know what “CCATS” is exactly, but it sounds like it’s a more in depth process of getting “properly authorized”. From what I’ve read so far, I should only need to get approved to get into this “SNAP-R” system so I can apply for an “ERN” (Encryption Registration Number) so then I can submit the “ERN” to Apple to prove that we are “properly authorized” by the DOC. My head hurts now, maybe by the time they approve our “SNAP-R” application, I’ll be ready to tackle the next step…whatever that is.

09-09-2014

Woke up this morning to see an email about our “SNAP-R” registration. They sent me an “Applicant ID” in the email and a link I could use to verify my “SNAP-R” user account. Once I clicked on that link, it said I was verified once I entered in some information (don’t forget your password here) and then it then directed me to the following link so I could log in.

https://snapr.bis.doc.gov/snapr/exp/UserLoginLoad

Looking at this page, it asks for a “Login ID”, a “Password” and a “CIN”. It appears that both the “Login ID” AND the “CIN” are the same as the “Applicant ID” you received in the email. I believe at one point there was an older system in which the “Login ID” and the “CIN” were two separating things, it doesn’t appear that way anymore. So once you enter that info and log in, you are able to create a “work item” in this system. So, what does access to this “SNAP-R” system and these “work items” give us? Here is a definition from the site:

An important note in SNAP-R is that the term Work Item is used to refer to any of the BIS work related transactions that can be submitted online. These include: 
  * Export License applications 
  * Re-Export License applications 
  * Commodity Classification requests 
  * Encryption Registrations 
  * Agriculture License Exception notices

It is that “Encryption Registrations” part we need to register for to get an “ERN”. So after clicking on the “Create Work Item” link from the left part of the screen, it asks what we want to create and to give it a reference number. Select “Encryption Registration” from the drop down box and for a reference number, it has to follow the format of AAA9999. Since we are trying to get an “ERN”, I chose to use ERN as the alpha part and a random number for the number part. Then click on create…to fill out more paperwork. Filling out the next page isn’t too bad either, but I did have to find and fill out a “Supplement No. 5 to Part 742“, so off to Google to find out what that was. Clicked on a link I found on www.bis.doc.gov, and was greeted with the following message.

Does this seem ironic?
Does this seem ironic?

So a copy of the document for encryption registration is on an HTTPS server that appears to be self-signed. That just seems rather odd.

 

 

 

 

 

After locating the section we needed, I began filling it out. Again, it wasn’t too bad but it took a little while to do. Now that this paperwork is done, we have to export it in .PDF format and attach it to our work item at the bottom of the form. After giving everything a once over again, I clicked the “Check for Errors” button and it didn’t seem to find any issues. Then I spent the next 30 minutes trying to figure out HOW to submit the form as it wasn’t very clear to me since there was nothing like a visible “Submit” button on the page. When all else fails, start clicking other buttons to see what happens. I discovered you have to click the “Verify Address in Work Item to Submit” button at the bottom of the page right beside the “Check for Errors” button first. Then click the “Preview Work Item to Submit” button on the next page, and finally the “Submit” button shows up at the bottom of the next page. Once you click that button, it asks you to acknowledge that you won’t be able to make any more changes to the document once submitted. Okay, done and done.  When I looked back at my list of work items, the status was already “Accepted” for that particular “work item”. Not sure exactly what that means, I guess I’ll just wait on correspondence on how to get my “ERN”.

10 Minutes Later

Well, that didn’t take too long, only 2 days. Received an email saying I had a message in the “SNAP-R” system waiting for me. So I go to my messages and in there it has my new “ERN”. The process as a whole wasn’t horribly painful, just frustrating in trying to figure out everything that you need while reading all the legalese as I’m not very fluent in that language. Hopefully this is all Apple will need to verify we are now “properly authorized” to export or reexport encryption products. Guess we’ll find out when we are done with our app!

Some final thoughts about “Shape Sprout”

“Shape Sprout” is now live on the Amazon Appstore, Google Play StoreApple App Store and on Facebook! We are constantly learning new things every time we work on an app and at the same time, we find more ideas for other apps!  Apple took a little longer to approve our app this go around than it did last time…10 days. Amazon was only a day or two and Google and Facebook were pretty much same day. All in all, I thought the development of this app went exceptionally smooth. Very few bumps in the road from the development side…I just have to get my artistic ability up to par. Practice, practice, practice! And of course having Kari record audio for our games is such a blast; she always makes me laugh. We’ve already started development on the next app; it’s called “Jumble Attack” and is based on the hot air balloon event that happens in “Shape Sprout”. We decided on a bit simpler app this go around because we are changing how we are doing a few things and wanted to focus on getting those ironed out while still making a fun game to play. We’ve decided to go the in-app store route to allow people to purchase an ad-free gaming experience instead of having two versions of our game.  This should make maintenance a whole lot easier. Also, there will be some communications between our app and our web server. This is something we’ll use in later apps and wanted to see if we could find a good way to do that. We decided on doing HTTPS + encrypted data…then realized we have to get an ERN from the government before we could legally make an app available that implemented encryption or even used HTTPS. This was a surprise to us. Curious how to get your ERN? I’ll be posting how I did that very soon. The whole process only took about 2 days which is saying something when the government is involved. Onward and upward!

Huh? I told you to explode over THERE

So no matter how awesome a tool is, it always has some bugs in it. Unity3D doesn’t escape this unfortunate reality. So far I haven’t come across anything that was so bad it made the tool unusable, just delayed development for a little bit while I searched for a solution. One of these bugs reared it’s ugly head during development of Shape Sprout while trying to create a small explosion for when Kari’s “shape bullets” hit Jumble’s target on his balloon. So, I created a particle system, set the parameters to make it look like a little explosion, turned off looping and then created a prefab out of it so I could instantiate it easily when needed in the game. So far so good, the collider was triggering the callback function on the target and I setup up the transform location of the newly created explosion at the point that the “shape bullet” hit the target. Something like this…

GameObject bulletHit = (GameObject) GameObject.Instantiate(bulletHitPrefab);
bulletHit.transform.parent = other.transform.parent;
bulletHit.transform.localPosition = other.transform.localPosition;
bulletHit.particleSystem.Play();
Diagnostic.Logit(other.transform.position);
Diagnostic.Logit(bulletHit.transform.position);

Every once in a while though, the explosion would happen at some random spot on the screen instead of where the “shape bullet” hit the target.

Particle System Positioning Oddity
Um…how’d the explosion get over there?

What in the world? I must have been doing SOMETHING wrong, but the same exact code was running each and every time. Timing maybe? Lets move some code around where things are created and destroyed.  Nothing. Still had the same problems.  Even made a log of the location of both where the explosion should happen and where the explosion supposedly was and they were exactly the same.  So why wasn’t it SHOWING it in the right spot? I started looking around a bit online and found something about the particle system needing to be disabled first before positioning it, then re-enable it.  AND make sure “Play on Awake” wasn’t enabled. Okay, so lets add a little bit into the code here…

GameObject bulletHit = (GameObject) GameObject.Instantiate(bulletHitPrefab);
bulletHit.SetActive(false);
bulletHit.transform.parent = other.transform.parent;
bulletHit.transform.localPosition = other.transform.localPosition;
bulletHit.SetActive(true);
bulletHit.particleSystem.Play();

And lets see what happens…

Particle System Positioning Fixed
That’s more like it

Maybe this is expected “behaviour”. (See what I did there?) Maybe I’m just doing it wrong? All in all I would not trade Unity3D for anything right now. Maybe this will help someone else dealing with this odd particle system positioning bug/issue. As of this writing, I am using Unity version 4.5.2f1.

Wrapping up Shape Sprout

And here is the REAL life “Kari the Shape Fairy” play testing her new game, Shape Sprout! She loves hearing her own voice in the game. We are getting close to wrapping it up, still squashing a few bugs and testing some settings. We hope to have it out soon for Android, iPhone/iPad, and Facebook. Shape Sprout is the second game we’ve developed so far and has been an absolute blast to work on. We have SO many other ideas lined up for games, just need more time…and caffeine!

Play testing Shape Sprout
Play testing Shape Sprout
Play testing Shape Sprout
Play testing Shape Sprout