Secure way to store and use Amazon Access key for Android

Question

I am trying to build an application for android that uses Amazon SimpleDB. I have viewed the source code of the example code provided by Amazon. However in the demo, the credentials are just stored in a Constants.java and I believe this method is not secure at all as potentially there are people that could decompile the apk to expose the credentials even with Proguard on.

Therefore i went to read up on Amazon article regarding this and I could not quite understand as I am not very familiar with cryptography in android/java.

How am I supposed to actually allow access to Amazon SimpleDB from my application while keeping the access key safe from external parties?

Edit 1: I want to use the application to retrieve data from the SimpleDB, showing in listview. For example like a simple review on food and other users will be able to retrieve the same review that other users posted. Maybe if the user wants to post a review, they would require to sign up an account and log in.

You don't, for that reason. You'd create a web service for your app to talk to. — Brian Roach, Feb 17 '14 at 09:21
You can try to hide it better but you can't make it secure. See http://stackoverflow.com/questions/21646688/good-practice-how-to-handle-keystore-passwords-in-android-java/21647060#21647060 for example. — zapl, Feb 17 '14 at 09:24
@BrianRoach I see. There is really no approach to secure the credentials somehow for the application besides a web service? — thhVictor, Feb 17 '14 at 09:27
@thhVictor Rule #1 in client/server programming: *Never trust the client*. Security through obscurity doesn't actually work, and that's all you got. — Brian Roach, Feb 17 '14 at 09:31
@zapl thanks for the link. I guess i have to do it in the web service approach — thhVictor, Feb 17 '14 at 09:31
@BrianRoach Alright so now i have to learn how to set up an web service for my android app to store data using amazon. — thhVictor, Feb 17 '14 at 09:32
If it were easy, everybody would be doing it :-D My advice would be to look at Jersey for writing a simple REST interface if you want to stick with Java. — Brian Roach, Feb 17 '14 at 09:33
Amazon recommends using a TVM (token vending machine) in order to manage credentials (http://aws.amazon.com/articles/4611615499399490). — andreimarinescu, Feb 17 '14 at 09:39
^^ Or that. I didn't know they were offering it, though that may just be for S3 buckets? — Brian Roach, Feb 17 '14 at 09:41
And remember that clients accessing you REST service are still untrusted clients. Any token / id / credential / secret inside the app can in theory be extracted and used from either a hacked version of your app or an entirely different app. I.e. design the service in a way that clients can't do bad things, especially when it comes to monetary cost to either you or a user. — zapl, Feb 17 '14 at 09:44
It appears their token thing is for everything - they have examples for using it with SimplDB — Brian Roach, Feb 17 '14 at 09:47
Thanks everyone here for the answers and tips on the Client/Server application. I will take a look at the TVM and will update here soon. — thhVictor, Feb 17 '14 at 09:48
Two approaches to secure `AWS Secret Key` [link][1] [1]: http://stackoverflow.com/questions/12826984/amazon-simpedb-apps-data-protection/12833634#12833634 — Ashish Pancholi, Feb 19 '14 at 04:47

score 4 · Answer 1 · answered Feb 17 '14 at 21:46

4

AWS offers a couple of solutions for delivering credentials to the device outside of hard coding them, one or both may meet your specific needs:

Token Vending Machine. AWS offers example TVMs for both Anonymous and User Authentication that can be customized to meet your needs.
Web identity federation which uses identities from Facebook, Google, and Amazon.

Our samples repository includes samples for integrating with both of these technologies, though not specifically in the SimpleDB example.

answered Feb 17 '14 at 21:46

Bob Kinney

8,870
1
27
35

Greetings I use the S3 guide http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/s3transferutility.html to implement TransferUtility and my app is working, but the cognito id is in the app code, just like in the example repo for s3 you provide, isnt that dangerous? – cutiko Jan 11 '16 at 18:38
1

@cutiko Cognito offers some additional protections over hard coded credentials, but if you are simply using unauthenticated access, then yes, anyone with your cognito identity pool id will be able to generate credentials. – Bob Kinney Jan 11 '16 at 21:17

score 0 · Answer 2 · edited May 23 '17 at 11:51

There is no foolproof way to do this. Whichever way we do, somebody taking your APK can potentially reverse engineer and crack the password (You make it difficult by obfuscating the code, but it is just making difficult and not foolproof).

If your app requires users to login (with some credential from your backend or using openid), then use this to let users access your server. Then on the server code, you can provide the AWS credentials using IAM Roles (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html).

So your web (REST) API access is allowed by using user-provided password and your server code gets the access by IAM roles. This is the most secure way.

If you dont want to have your server / backend, then there is no real foolproof way.

Answer from @Bob above is precise how to achieve this: https://stackoverflow.com/a/21839911/2959100

I understand there is no way to secure the client end from the comments provided above. So basically from what i understand is that Amazon will allow access to my SimpleDB to post let's say a review if i use some kind of login for my application? What i want to do is: See Edit 1 in question. — thhVictor, Feb 17 '14 at 18:01

Secure way to store and use Amazon Access key for Android

2 Answers2