Menu
Amazon has an AWS SDK for iOS, along with several sample apps. In their samples, they put the API credentials in a Constants.h file:
// Constants used to represent your AWS Credentials.
#define ACCESS_KEY_ID @"CHANGE ME"
#define SECRET_KEY @"CHANGE ME"
My concern is that these can be extracted by a determined hacker. Is there any way to securely include API keys in an app?
The one option I've seen is to include a server of my own as a go-between: the app talks to my server, my server talks to S3. I can see the value in doing this, but one is still presented with the problem: do I allow the app to make API calls on my server without any kind of authentication? Including my own API key in the app has the same problem as including AWS API keys.
676
Before sharing your API key, regenerate it and label it as the newest shared key. Don't share API keys through email. Always use HTTPS/SSL for your API requests — some APIs won't field your request if you're not using it. Assign a unique API key to each project and label them accordingly.
So instead of storing the key in plain text (bad) or encrypting it, we should store it as a hashed value within our database. A hashed value means that even if someone gains unauthorised access to our database, no API keys are leaked and it's all safe.
API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it has no expiration, so it may be used indefinitely, unless the project owner revokes or regenerates the key.
There are a couple of credential management options to help you avoid embedding credentials in your app. The first is Web Identity Federation, which allows users to log in to your app with Facebook, Google, or Login With Amazon. Another option is to use a Token Vending Machine, which is a server component that distributes temporary credentials to your app.
There is a high-level overview with pointers to the relevant documentation and code samples on the AWS Mobile Development Blog: http://mobile.awsblog.com/post/Tx3UKF4SV4V0LV3/Announcing-Web-Identity-Federation
153
You'll probably want to create temporary write credentials using AWS STS tokens instead of passing keys all the way to the client. You can also create OAIs for CloudFront endpoints so no users directly access S3.
http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
