5

Recently Google provided alert to one of my Apps that

Your Amazon Web Services credentials may be exposed. This exposure of your credentials could lead to unauthorized access to your AWS account, which may include associated excessive charges, and potentially unauthorized access to your data and your users' data.

In the application, I'm using Amazon Product Advertising API to get and display the information related to some products.

I'm using SignedRequestsHelper class provided by the Amazon to request the data.

I need to know how can I protect my AWS keys in the Android app.

Thanks.

Deepak Goyal
  • 4,747
  • 2
  • 21
  • 46

1 Answers1

5

I need to know how can I protect my AWS keys in the Android app.

As soon the credentials are at the client side, you can consider them compromised. Storing credentials in the app is usually wrong idea.

you provided no other requirements or constraits, so without assuming anything I could only suggest a few ideas

  • use credentials with only necessary permissions (e. g. read s3 files, dynamodb records,...)
  • implement API (called by the app) and store the aws credentials on the server. Then there's a question how would you reliably authenticate / authorize the mobile app
  • use aws cognito to acquire temporary limited aws credentials based on a custom user pool or social login
gusto2
  • 11,210
  • 2
  • 17
  • 36
  • Thanks, @gusto2, I just added the keys in the server and the app will fetch that keys from the server. – Deepak Goyal Nov 12 '18 at 11:08
  • @DeepakGoyal I hope you are refering `the keys` as temporary session credentials, not static keys, otherwise it's not much better. You can create temporary session credentials using sts assumeRole service (directly or using cognito). And the keys should be bound to a role with minimal necessary permissions.. Still better than hardcoding them into an app :) – gusto2 Nov 12 '18 at 11:37
  • I'm using the Amazon's Product Advertising API for which I need to have the static credentials of the access key and secret key. So to avoid the warning given by Google, I saved the credentials on the server side and the app will fetch the credentials using the API. – Deepak Goyal Nov 16 '18 at 10:30
  • Hi @DeepakGoyal I got same alert by the google. your solution will work?I mean can I store my credentials on server and fetch using API.Please let me know. – Yogesh Nikam Patil Sep 04 '21 at 20:05
  • 1
    @YogeshNikamPatil Yes, It will work because you are not putting the credentials inside the app code. You will fetch the credentials from your server. – Deepak Goyal Sep 05 '21 at 09:25
  • 1
    @YogeshNikamPatil it is possible and working, but I don't consider such a solution safe. If someone decompiles the application, can find the way to fetch the credentials from the server. The proper solution would be using delegated credentials based in the answer – gusto2 Sep 05 '21 at 19:28
  • Thank you deepakgoyal and gusto2. I will definitely go through the steps mentioned in your answer. – Yogesh Nikam Patil Sep 07 '21 at 03:06