I have an app using RestKit successfully. I am building an IAP in the app and for iOS5 I needed a place to host the app files for the IAP. I decided using Amazon S3 for that.
Now I now that I can integrate amazon API but I wish to keep my app simple, and since I am using RestKit I just want to use it to download the files.
Is there a guide or explanation on how to generate a bucket url with expiration and secrets ?
Thanks
Shani
Sure: all the information you need is in the Authenticating REST Requests documentation page.
Also, it's not entirely clear from your question, but I hope you're putting the URL generation in some web app somewhere that you control, rather than directly embedding it in the IOS app. I also hope you're using IAM to restrict that key to the appropriate permissions level regardless.
Related
I'm trying to setup Kahuna for my iOS app, and haven't been able to find a clear answer - the docs says that the secret key is meant to be used with the API Key for authenticating requests, but I can't find anything that states clearly if either of these should be kept secret/out of source code. Are these safe to put in my code, or should they be kept on the server side?
Thanks
Are these safe to put in my code, or should they be kept on the server side?
Short Answer is no for keeping them on the mobile app code and yes to keep them on the server side.
Why?
Because they will be static secrets in your mobile app code, thus they are easily extracted by using any reverse engineer tool, like using the Mobile Security Framewrok(MSF) to decompile the app binary.
Alternatives?
Well you can try code obfuscation, to generate the secrets dynamical in the mobile app or to store the secrets in the iOS keychain, but once more they can be reverse engineered at run-time, once more by using the MSF tool.
Possible Solution?
The best approach is to use a Mobile App Attestation service to protect the connection between the mobile app and the API server, that will guarantee at run-time that your App is not being man in the middle attacked, being tampered with, that is not running in a rooted or jail broken device and that is the same original one uploaded into the app store. This is done in the background without impacting the user experience by using an SDK integrated in your App and a service running in the cloud.
With this guarantees in place we don't need any-more to store secrets in the mobile app for Authentication, Authenticity and Integrity purposes, thus any access to third part services within the App can now be delegated to the API server that will be able to do a better job of protecting all the necessary secrets to access the third part services, like storing them in a vault.
You can find a Mobile App Attestation service in Approov(I work here) that provides SDKs for several platforms, including iOS. The integration will also need a small check in the API server code to verify the JWT token. This check is necessary for the API server to be able to decide what requests to serve and what ones to deny.
I am trying to create an IOS application. Part of it will allow upload of data to a Dropbox account that is hardcoded. I don't know how to do this part of my app without having a webpage show up that asks for authorization. Are there other ways to authorize an account without asking the user?
Don't do this. You're asking for a disaster.
Violates the Dropbox Terms of Service.
What happens when Dropbox suspends your account, your app breaks.
An API key you hide in the app could be compromised and exploited.
Look into another service intended for what you actually want to accomplish, Amazon's S3 is likely a good choice.
I have an mobile application (native iOS) and I want to provide the user the ability to upload videos and associate them to their account.
Some considerations:
I have a Node.js API running on Heroku that I use to maintain the DB.
Videos on will be stored on S3
I am looking for some suggestions on how to architect this. Here is my sequence of events I am thinking...
The app POSTs to the API to create the "event" and receives back an S3 path
The mobile app uploads the video to the S3 path it received in step 1 response.
Upon successful upload the mobile app makes a PUT to update the API that the upload was successful.
I am curious how others have approached this problem.
Your example will work fine.
You can probably get rid of the first POST request to the API and offload the responsibility of dealing with S3 to your client app.
The opposite can also work -- you can have the API deal with uploading, so that you upload your file to the API and then it will store it in S3. This could be beneficial in situations where you have multiple client apps on different platforms and you want to offload all that work to the API instead of each client having to implement it.
Would encrypting the S3 keys in my binary be a good idea? How?
Thanks!
I would recommend you do not include them in your app. Put them on a server with a REST based interface and limit the possibilities of the single user on the server side.
When the user gets you S3 credentials they will be able to abuse them! And they will always be able to get them when you include them in your app.
I'm having issues integrating the AWS iOS SDK (authentication specifically) along with download of a simple URL from a bucket.
I'm using StackMob to store my data, and files are managed through AWS in S3 storage. When querying for an object, the link to the S3 object is given.
I have implemented the Anonymous bucket token registration, and it works fine in the demo application, I can see all the buckets as well as the files in the buckets but here's the big question:
How do I authenticate with AWS using the iOS SDK, and use that authentication to download a URL to an object in my bucket that I already have the link to?
Going directly to that link brings up an access denied error. Also, some of the files are private and not distributed, so I do not want to just make the entire bucket public for people to access with the link.
Any suggestions? I think I read somewhere that you can manipulate the URL to include your access key and secret key, but that you should never include that in a binary as it could get stolen, so maybe having it on a private server and pulling that key to temporarily use it?
Any help would be great!
Thanks
I contacted Amazon support, and it turns out that what I'm looking to do is currently impossible with the SDK.
The only way to generate a URL is having the bucket name, key, and use the "getPreSignedURL" API call to get a signed link to it.
I'll leave this up, hopefully someone will learn from this and not have to pay $50/month for support for this one question.