React-native-config: Your app(s) expose Amazon Web Services credentials.
I use this package to store my AWS access & secret keys in .env files & then use react-native-aws3 to add these keys and upload images to S3.
Although my Android app got rejected when I submitted a new version to the Play Store. The reason they gave was "Leaked AWS Credentials: Your app(s) expose Amazon Web Services credentials." and they provided this link to fix it.
This package also has a note on the readme that says:
Keep in mind this module doesn't obfuscate or encrypt secrets for packaging, so do not store sensitive keys in .env
So what I am wondering is how do I go about storing my AWS keys so it's secure? Should these never be stored on the client side & instead my app should send the picture over to the server as a file/base64 format and the server uploads the image and returns the url instead?
Any input or suggestions as to how to fix this issue would be much appreciated as I am trying to get an Android build out ASAP!
Monte9
All 2 comments
You are correct. Such secrets should never be stored in a client. You must build an Api, send the image to the Api, and only from the Api access AWS. These keys are for an Api to use, not a client on a device you have no control over.
https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
EricCarrGH
on 21 Mar 2019
Or you could use https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html to upload from device without having to store AWS keys on your app. Server generates the presigned URL and send it back to mobile application.
darekg11
on 27 Mar 2019
Related issues
iadcg
路
3Comments
sonlexqt
路
4Comments
jemise111
路
4Comments
NachtRitter
路
4Comments
joncursi
路
4Comments
Most helpful comment
Or you could use https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html to upload from device without having to store AWS keys on your app. Server generates the presigned URL and send it back to mobile application.