CODEWITHSUNDEEP
androidamazon-web-servicesandroid-security
basha
basha

Reputation: 617

How to secure AWS Credentials in Android app?

How do I secure my AWS credentials in my app? What's the ideal place to store AWS credentials and how can they be fetched at run-time?

See the warning below:

Leaked AWS Credentials

Your app(s) expose Amazon Web Services credentials.

Upvotes: 1

Views: 1307

Answers (1)

Exadra37
Exadra37

Reputation: 13064

THIRD PARTY SERVICES

How do I secure my AWS credentials in my app?

Don't do it. It will be always possible for an attacker to retrieve them with reverse engineer techniques, and a lot of open source tools exist to make this task trivial.

While the article I am about to share is for extracting an Api Key, the same approach can be used to extract any other secret as described in my article How to Extract an API key from a Mobile App with Static Binary Analysis:

The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.

As the article says you can make it harder by hiding the AWS credentials within native C code, with the use of the JNI/NDK technique:

Using Android Studio 2.2 and higher, you can use the NDK to compile C and C++ code into a native library and package it into your APK using Gradle, the IDE's integrated build system. Your Java code can then call functions in your native library through the Java Native Interface (JNI) framework.

If you use this approach, the attacker will use an instrumentation framework during runtime to extract your AWS credentials, like Frida:

Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.

POSSIBLE SOLUTION

You should delegate to your backend or reverse proxy the responsibility to talk with AWS, like I suggest in my article Using a Reverse Proxy to Protect Third Party APIs:

In this article you will start by learning what Third Party APIs are, and why you shouldn’t access them directly from within your mobile app. Next you will learn what a Reverse Proxy is, followed by when and why you should use it to protect the access to the Third Party APIs used in your mobile app.

DO YOU WANT TO GO THE EXTRA MILE?

In any response to a security question I always like to reference the excellent work from the OWASP foundation.

For APIS

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

For Mobile Apps

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

Upvotes: 2

Related Questions