Front-End Web & Mobile

Managing Credentials in Mobile Applications

Version 2 of the AWS Mobile SDK

  • This article and sample apply to Version 1 of the AWS Mobile SDK. If you are building new apps, we recommend you use Version 2. For details, please visit the AWS Mobile SDK page.
  • This content is being maintained for historical reference.

Every application that makes requests to Amazon Web Service (AWS) APIs has to manage credentials, and mobile applications are no different. Mobile developers need to be extra vigilant about credential security because they don’t control the system that will be using the credentials. To help you out, we’ve included links below to a number of articles that cover the challenges of managing AWS credentials in a mobile environment and some strategies for mitigating the risk while using the AWS Mobile SDKs.

The token vending machine (TVM) presents a sample mechanism to securely authenticate your users when issuing them temporary credentials. The article Authenticating Users of AWS Mobile Applications with a Token Vending Machine details the concepts behind the TVM and explains two potential implementations. The Token Vending Machine for Anonymous Registration details the Anonymous TVM, and the Token Vending Machine for Identity Registration details the Identity TVM. Both of these samples were optimized for AWS Elastic Beanstalk, and you’ll need to modify their code when using them in conjunction with your applications. Specifically, you’ll need to modify the policies used when issuing temporary credentials.

Finally, the Credential Management for Mobile Applications article provides a complete mobile application sample that uses the Identity TVM. The code included with the article provides a modified Identity TVM and code for an iOS and Android application. The code and article detail exactly how to use policies to limit the access to your AWS resources to provide better security while fully supporting your application’s needs.

It is important to understand that all of the code and articles above are samples and suggestions. You will need to modify the code and policies to properly secure your AWS resources while meeting your application’s needs.