Would encrypting the S3 keys in my binary be a good idea? How?
Thanks!
I would recommend you do not include them in your app. Put them on a server with a REST based interface and limit the possibilities of the single user on the server side.
When the user gets you S3 credentials they will be able to abuse them! And they will always be able to get them when you include them in your app.
Related
I'm developing an iOS app that uses Cognito User Pools / Federated Identities, Mobile Analytics, and S3 to manage various features of the app, and recently I have become concerned for the security of these features. I already use IAM roles to control the services unauthenticated vs authenticated users have access to, but most of these services use strings (e.g. user pool app client id or user pool app client secret for User Pools, or app id for Mobile Analytics) to give the app access to that service.
What are the best practices to securely store these strings on the device to be used when necessary? Is it even necessary to secure these strings since the app is using IAM roles?
If it is necessary to securely store the strings, I have read that using the CommonCrypto library to encrypt strings before putting them in the keychain is best, but I'm not sure what key to use for encryption since my user needs unauthenticated access to those services. Any advice would be tremendously helpful.
This is a common problem to any mobile app. If someone really wants to, it's not difficult to decompile the app and scrape the keys from it. It's great that you are using IAM roles to restrict feature usage. This will limit the blast radius of attackers, but not necessarily prevent them.
Wth user pools you also get a globally unique identifier which can be used with IAM to restrict what S3 you can use key pre-fixes (which act similar to folders) to limit the objects that users can access to pre-fixes with their unique identifier. You can refer to https://mobile.awsblog.com/post/Tx1OSMBRHZVM9V0/Understanding-Amazon-Cognito-Authentication-Part-3-Roles-and-Policies (Using user pools as the provider, which will use the identity id as the prefix). Depending on how you structure your app you could use this so each user can only modify their own objects. I don't think Analytics has any way of restricting like this... because it wouldn't really make sense for it.
As far as securing your ID's there are things you can do to help mitigate, but there is no fool proof way to prevent someone taking it. You could for instance have the app make a call to your server for the ID... but then an attacker could just call the server. You could encrypt it, which might make it more difficult for an attacker to get, but you have to keep the key somewhere and if the app could get it so could someone who decompiles the app. Unless your app users get some sort of password from outside the app and put it in there isn't a complete way to lock it against attackers.
Hope this helps.
I have an mobile application (native iOS) and I want to provide the user the ability to upload videos and associate them to their account.
Some considerations:
I have a Node.js API running on Heroku that I use to maintain the DB.
Videos on will be stored on S3
I am looking for some suggestions on how to architect this. Here is my sequence of events I am thinking...
The app POSTs to the API to create the "event" and receives back an S3 path
The mobile app uploads the video to the S3 path it received in step 1 response.
Upon successful upload the mobile app makes a PUT to update the API that the upload was successful.
I am curious how others have approached this problem.
Your example will work fine.
You can probably get rid of the first POST request to the API and offload the responsibility of dealing with S3 to your client app.
The opposite can also work -- you can have the API deal with uploading, so that you upload your file to the API and then it will store it in S3. This could be beneficial in situations where you have multiple client apps on different platforms and you want to offload all that work to the API instead of each client having to implement it.
I have an app using RestKit successfully. I am building an IAP in the app and for iOS5 I needed a place to host the app files for the IAP. I decided using Amazon S3 for that.
Now I now that I can integrate amazon API but I wish to keep my app simple, and since I am using RestKit I just want to use it to download the files.
Is there a guide or explanation on how to generate a bucket url with expiration and secrets ?
Thanks
Shani
Sure: all the information you need is in the Authenticating REST Requests documentation page.
Also, it's not entirely clear from your question, but I hope you're putting the URL generation in some web app somewhere that you control, rather than directly embedding it in the IOS app. I also hope you're using IAM to restrict that key to the appropriate permissions level regardless.
I'm having issues integrating the AWS iOS SDK (authentication specifically) along with download of a simple URL from a bucket.
I'm using StackMob to store my data, and files are managed through AWS in S3 storage. When querying for an object, the link to the S3 object is given.
I have implemented the Anonymous bucket token registration, and it works fine in the demo application, I can see all the buckets as well as the files in the buckets but here's the big question:
How do I authenticate with AWS using the iOS SDK, and use that authentication to download a URL to an object in my bucket that I already have the link to?
Going directly to that link brings up an access denied error. Also, some of the files are private and not distributed, so I do not want to just make the entire bucket public for people to access with the link.
Any suggestions? I think I read somewhere that you can manipulate the URL to include your access key and secret key, but that you should never include that in a binary as it could get stolen, so maybe having it on a private server and pulling that key to temporarily use it?
Any help would be great!
Thanks
I contacted Amazon support, and it turns out that what I'm looking to do is currently impossible with the SDK.
The only way to generate a URL is having the bucket name, key, and use the "getPreSignedURL" API call to get a signed link to it.
I'll leave this up, hopefully someone will learn from this and not have to pay $50/month for support for this one question.
I need to build a app that upload video youtube, my question is about logging in google. My app is for only one client, i don't want the user need to logging in youtube then before allow access to my app. I think if I can set tokens in a config file, is this possible? If yes, how i get manually the tokens to store in the config file?
Yes. You authorize the application on YouTube, get the tokens and store them. The application will then use the tokens that were stored. I've done it before (mainly for testing purposes) and it will work fine.