6

I want to make calls to the Amazon S3 rest API through an iPhone app. It means that I will have to write in my iPhone app the secretAccessKey and the accessKey of the Amazon S3 service.

If my app goes on the appstore, is it going to be dangerous for me? Maybe some people will extract my secretKey and my key to use it for other purposes? Is there a way to protect my app from this kind of attacks?

Thanks!

Martin

MartinMoizard
  • 6,600
  • 12
  • 45
  • 75

1 Answers1

3

If possible you shouldn't store your keys in your app.

You can see a lengthy discussion of the topic here: Architectural and design question about uploading photos from iPhone app and S3 (check out Adrian Petrescu's answer).

There are a couple of options here. First, upload your data to a central server and then onto S3. Your keys stay private on your server. Or you can look at presigning your URLs.

Community
  • 1
  • 1
Larry Hipp
  • 6,205
  • 3
  • 26
  • 31
  • RE your presigning link which links to the S3GetPreSignedURLRequest method, how are you supposed to fill in the SecretKey info w/o having it stored on the client? Update: I re-looked at the reference and it says AccessKey, not SecretKey. Is the idea here that you just store one of the keys and it's used like a public key of sorts? – Skyler Mar 28 '11 at 18:21