Amazon Cloud Services (AWS) has provided the ready to use Library to make calls to SDB, S3, SNS etc right from your Android app. This makes it really easy for a mobile developer who is not familiar with web services and web applications to create a completely scalable cloud based app.
We give the Amazon Access Credentials in these API calls to connect to our cloud Account; My question is:
How do I effectively use Key rotation in the app, since I would be distributing the app, once the change in key could mean a period disruption for the existing users.
Would hard coding the Amazon Access Credentials inside the code (as a field Constant etc) make it vulnerable to extraction? Via decompiling etc.?
I talked to the Amazon Advocate for our region and he told that Amazon client library is not designed for such a purpose.
It could be used in for in-house apps (not being published), like client-demo apps.
If you're bundling the Credentials with an app to be published in open market (not recommended), use IAM and create a separate credential with with restricted access.
If you're building an app like Instagram, you may have to setup a web server to proxy your calls to Amazon (effectively making the client library useless).
Obviously, I was not very convinced. I think an entire client library to Amazon communication (bypassing the need for a webserver) could be a great advantage for Mobile devs.
Re:
Would hard coding the Amazon Access Credentials inside the code (as a field Constant etc) make it vulnerable to extraction? Via decompiling etc.?
Yes, by looking for strings and patterns in the binary. Also decompiling, but that'd often not be necessary.
The first question is, what sort of threats are you trying to protect against? Governments? Paid hackers? Or you just want to make it not easy to gain access other than via the app?
Limit the access the keys have to just the data that the app needs.
Store the keys in the app in several pieces. Modify them in some way (eg ROT47), then re-combine when sending to the service.
Don't put all of the key information into the app. Require use of another security device such as the Amazon MFA
Install monitoring to detect unusual patterns of access that could indicate access from outside of the app.
Related
Application insights can used to monitor custom application events (such as calls, exceptions, durations etc).
The documentation gives SDKs for .net, and an agent for java. https://learn.microsoft.com/en-us/azure/azure-monitor/app/platforms
We are using java, but its hosting by Adobe (its their cloud CMS called AEM), so we cant run or install any agent. We can include java libraries, and cam make rest calls going out.
The question is, does AI have any sort of rest API to get application monitoring data into AI? Azure as a whole has one (e.g. for querying resource groups) https://learn.microsoft.com/en-us/rest/api/azure/
NOTE: this is not to query AI data, there is a specific API for that, we need an API to write the event and telemetry data into it.
I don't think it is officially published (REST API for ingestion).
At the same time the wire protocol is used by both all SDKs and by many customers who decided to use REST API directly. So, essentially REST API will not change.
One way is to build an app using agent, sniff wire protocol using Fiddler (or similar tool) and then use it as REST API.
Beware that Application Insights SDKs (and agents) take care of many things - starting from auto collection, calculating standard metrics and finishing with proper backoff logic/retries/etc.
On top of it Application Insights SDKs support two channels - Standard and Real-time (Live Metrics/Diagnostics). Implementing the second channel might be quite tricky.
I am creating a web application with a Java back end. I intend to house this on Amazon Web Services.
Ideally, in the future, I would like to create a Native Android application that carries the same functionality as the web app.
How can I implement my current application so that the Native App and Web App can both use the same back end database and services?
I have been reading about Service Orientated Architecture, is this the correct approach?
Service Orientated Architecture (SOA) is an approach that has been around for a while and could certainly meet your requirements. However I would caution you that you are going to run into lots of "Enterprise" designs as you search for information about SOA that will really be overkill for the type of development you are doing.
In general I would simply recommend that you focus on the following:
Keep your UI (HTML/JS/CSS) in a separate project from the Java back end. This practice will force you to keep the UI and back end concerns separate.
Have your back end expose an API that sends and receives JSON via HTTP/HTTPS.
Make your back end services stateless. Using JSON web tokens for authentication is a good way to accomplish this (I like using Auth0 for this). In other words don't rely on an HTTP session to track your users from within your Java code. This has the added benefit of making your application really easy to scale.
If you do these things then when it comes time to build the Android app you wont have to touch the back end at all. You will just have to implement the UI again in native Android.
Since you tagged this question with AWS I assume you plan to implement your back end on AWS. If so, I would highly recommend you look into using Amazon's API Gateway service. This service would sit between your UI layer and your back end. This provides several advantages such as rate limiting and caching to secure your API from DDOS attacks, an optional API key for added security, and API versioning to help you deploy new versions of your API without breaking existing clients. Also, by defining your API using the API Gateway service you can then generate an SDK for your API for use in JavaScript, Android and iOS.
Another big advantage of using API Gateway is that it allows you to break up your back end into separate servers, Lambda functions, etc. This allows for great flexibility, and I can't stress enough how the ability to use AWS Lambda in your back end will reduce administrative work as well as hosting costs. This enables you to start thinking about your back end in terms of Microservices.
Is it correct that Android application which communicates with external database (somewhere on the server), requires web service (e.g. java web service)?
Is that web service an actual back end application which directly communicate with the DB?
Is this service, I am talking about, the same thing what AWS or google cloud offers, or am I messing it up?
Cloud providers can provide you computers and other hardware to run your back end server on and in some cases can provide you some or all of the services you need in your back end, obviously depending on what your app actually needs to do.
For example, AWS provides identify verification services, streaming recording backend services, notifications etc. You still need to do work to integrate your app with them but they do a lot of the heavy lifting for you.
Deciding whether to use the services or just the HW with your own services built on top is an architectural and business decision really.
You may want to balance ease of integration against vendor lock in (i.e. being tied to a single cloud provider to run your back end).
Personally, I like architectures that can be ported between cloud providers - you can still build on non cloud provider 3rd party service building block software if you want.
Having said that, AWS and Google have almost certainly put a lot of effort and thought into making their service building blocks easy to integrate and scalable so you may find their ecosystems work for you.
I am very new to both Android development & Azure Mobile Services. I have a decent knowledge of Java so Android development is not proving to be too difficult. Although, I am struggling to gain a good knowledge of working with Azure Mobile Services.
I have little knowledge of REST API's but will be able to learn quite quickly if required. My main concerns/questions are as followed:
Can I build my Android app by using Mobile Services Data & API's alone. i.e the simple table values and the basic CRUD API's?
If not, how should I approach building the application?
I want to cater for multiple column queries, table relationships (1 .. n , inheritance) and I also would like to use JSON objects as parameters for a more lightweight communication rather than passing my full Java objects.
Also, is the possibility of setting up an SSL available?
Any help would be appreciated.
thanks for trying out Azure Mobile Services. Here is a good tutorial on how to get started with Android.
To answer your questions specifically:
Generally a CRUD API for data storage and a custom API for arbitrary REST calls should be all you need for a straightforward app, and those are all offered in the box with Mobile Services. The one thing we don't offer today (but are considering) is support for duplex messaging (WebSocket), which you might need if you are building a realtime app or game.
Mobile Services does not support object trees on the client, but you can still have them in your server database. You just have to write some custom code to "flatten" the hierarchy before you send it to the client.
Every mobile service supports HTTPS by default. We do not currently allow you to do a custom SSL cert.
I am currently working on a project that involves the google apps provisioning api.
Without getting too detailed about the purpose or inner workings of the project, I would like to ask a very simple question:
Is there a way to programmatically create a google apps for business domain (especially as a reseller)?
After tooling around the provisioning api for a while all i could find are ways to add and remove users but nothing pertaining to whole domains.
There is an API only available to Google Apps Resellers, if you are one of them you should get access to it.
I don't know if what you're trying to do is possible, but there are lots of APIs for Google Apps stuff. This may be of some use:
The Provisioning API provides a
mechanism to programmatically create
and manage Google Apps user accounts
with one or more domains, nicknames,
email aliases,organization units, and
groups. Using this API you can
minimize disruption to your
organization's current processes by
synchronizing user data between Google
Apps and your existing user management
system.
More info here:
http://code.google.com/googleapps/docs/#domain