Reputation: 97
How to protect key values for AWS
My android app works with AWS S3. I am doing this serverless architecture, which means my app includes every information necessary to access to the AWS S3 resources including ACCESS KEY and SECRET KEY.
Obviously it would cause security issues, and Proguard is not such helpful for protecting data in String format.
It would be great if you could share your wisdom for this. I believe that there is some general way for this problem because I must not be the only who goes with Serverless architecture.
Upvotes: 1
Views: 96
Answers (2)
Reputation: 8830
As michael-sqlbot have mentioned the Cognito is the recommended authentication way for mobile apps, however, if you can't be bothered setup up Cognito and investigating how it works you can use AssumeRoleWithWebIdentity which does not require AWS credentials to be invoked. AssumeRoleWithWebIdentity assumes requested role and generates temporary credentials valid for 1h (by default). So the only gotcha is that you need to authenticate against any OpenID Connect-compatible identity provider.
Upvotes: 1
Related Questions
- how to secure keys for API calls from android device to amazon services
- encrypt s3 data content with sdk
- How to secure AWS Credentials in Android app?
- Storing secrets and credentials inside of an Android App
- AWS S3 Android SDK where do you specify Access key and secret?
- ProGuard with AWS SDK
- Error Using ProGuard with the AWS SDK for Android
- Proguard gives errors with AWS SDK for Android
- Proguard Aws s3 issue
- Secure way to store and use Amazon Access key for Android