Amazon access credentials in Android App

Amazon Cloud Services (AWS) has provided the 开发者_开发问答ready to use Library to make calls to SDB, S3, SNS etc right from your Android app. This makes it really easy for a mobile developer who is not familiar with web services and web applications to create a completely scalable cloud based app. We give the Amazon Access Credentials in these API calls to connect to our cloud Account; My question is:

1. How do I effectively use Key rotation in the app, since I would be distributing the app, once the change in key could mean a period disruption for the existing users.
2. Would hard coding the Amazon Access Credentials inside the code (as a field Constant etc) make it vulnerable to extraction? Via decompiling etc.?

I talked to the Amazon Advocate for our region and he told that Amazon client library is not designed for such a purpose.

• It could be used in for in-house apps (not being published), like client-demo apps.
• If you're bundling the Credentials with an app to be published in open market (not recommended), use IAM and create a separate credential with with restricted access.
• If you're building an app like Instagram, you may have to setup a web server to proxy your calls to Amazon (effectively making the client library useless).

Obviously, I was not very convinced. I think an entire client library to Amazon communication (bypassing the need for a webserver) could be a great advantage for Mobile devs.

Re:

Would hard coding the Amazon Access Credentials inside the code (as a field Constant etc) make it vulnerable to extraction? Via decompiling etc.?

Yes, by looking for strings and patterns in the binary. Also decompiling, but that'd often not be necessary.

The first question is, what sort of threats are you trying to protect against? Governments? Paid hackers? Or you just want to make it not easy to gain access other than via the app?

• Limit the access the keys have to just the data that the app needs.
• Store the keys in the app in several pieces. Modify them in some way (eg ROT47), then re-combine when sending to the service.
• Don't put all of the key information into the app. Require use of another security device such as the Amazon MFA
• Install monitoring to detect unusual patterns of access that could indicate access from outside of the app.