Amazon SimpeDB - apps - data protection

Question

I have been using AWS (Amazon Web services) and in particular simpleDB for a couple of smartphone apps using their iOS/android client libraries.

So far, the data was very benign so I didn't worry too much about data protection.

My next app project will require a "users" table/domain containing usernames and passwords.

What I'm worried about is that someone reverse-engineer the Android java version of the app, then it will be easy to get all the simpleDB data, including all the passwords.

the basic TVM thing (Token Vending Machine, where a temporary token replaces the AWS credentials which are not in the code) doesn't seem to protect against that scenario so it would be great to hear what people think is the recommended approach to do the login part of the app using AWS without being completely unsafe.

Having the passwords table stored somewhere else/accessed in a different way?

Any comment appreciated, Many Thanks.

Answer 1

I can suggest you two approaches to keep your app protected -

1st Approach :

You can keep your AWS secret key into a file with in your app that will be encrypted using private key. On start-up, your code will read that file using public key and can only get your AWS secret key. Please remember following points in this approach -

1. Your code must be obfuscated.
2. Your secret key must be in encrypted form into the file so you will get double protection.
3. Your file must be digitally signed.

2nd Approach :

You can also create your own web site that will manage your user authentications and if user is successfully authenticated it will send AWS Secret key after encrypted it with private key, in his response to the app and your app will use that AWS Secret key after decrypting it with public key. Please remember following points in this approach - 1. Your response must be returned in encrypted form. 2. You site must be secure and must run on HTTPS. 3. Your code must be obfuscated.