mobile application development

v

Building Mobile and Web Apps using the AWS Mobile and Javascript SDKs Parijat Mishra | Solutions Architect | Amazon Web Services [email protected]

v

In this session, well be creating Android apps to demonstrate various features of AWS

v

How do we build mobile apps today?

v

Authenticate users

Authorize access

Analyze User Behavior

Store and share media

Synchronize data

Deliver media

Store shared data

Stream real-time data Track Retention

Send push notifications

Manage users and identity providers

Securely access cloud resources

Sync user prefs across devices

Track active users, engagement

Manage funnels, Campaign performances

Store user-generated photos Media and share them

Automatically detect mobile devices Deliver content quickly globally

Bring users back to your app by sending messages reliably

Store and query fast NoSQL data across users and devices

Collect real-time clickstream logs and take actions quickly

Your Mobile

App

Your mobile application

v

Introducing AWS Mobile Services

Amazon Cognito Amazon Mobile Analytics Amazon SNS Mobile Push

Kinesis Connector DynamoDB Connector S3 Connector SQS Connector SES Connector

AWS Global Infrastructure (11 Regions, 28 Availability Zones, 52 Edge Locations)

Core Building Block Services

Mobile Optimized Connectors

Mobile Optimized Services

Your Mobile App, Game or Device App

AWS Mobile SDK, API Endpoints, Management Console

Compute Storage Networking Analytics Databases

Integrated SDK

v Fully integrated AWS mobile SDK

Cross-platform,

optimized for mobile

Automatically handles intermittent and latent

network

AWS Mobile SDK

Reduced memory footprint Common authentication method across all services

v

Authenticate users

Authorize access



Synchronize data

Deliver media

Store shared data



Manage users and identity providers

Securely access cloud resources

Sync user prefs across devices

Track active users, engagement

Manage funnels, Campaign performances

Store user-generated photos Media and share them

Automatically detect mobile devices Deliver content quickly globally

Bring users back to your app by sending messages reliably

Store and query fast NoSQL data across users and devices

Collect real-time clickstream logs and take actions quickly

Your Mobile

App


v

Authenticate users

Authorize access



Synchronize data

Deliver media

Store shared data



Amazon Cognito (Identity broker)

AWS Identity and Access Management

Amazon Cognito (Sync)

Amazon Mobile Analytics

Amazon Mobile Analytics

Amazon S3 Transfer Manager

Amazon CloudFront (Device Detection)

Amazon SNS Mobile Push

Amazon DynamoDB (Object Mapper)

Amazon Kinesis (Recorder)


with the AWS Mobile SDK

v Lets build a Media App!

What should it do?

v

Our Media Apps wish-list of features q Upload & Download media files to/from S3 buckets

q Grant anonymous but secure access to AWS resources in our account

q Grant authenticated access for users that log in via Public Identity Providers

q Send push notifications to mobile devices

q Store the media library inventory in the cloud so it can be queried by many users

q Provide partitioned access to the media library based on Public and Private views

q Synchronise user data across devices

q Make all this available across devices (iOS, Android, Kindle) and web

v

Goals: User is anonymous we dont care who they are, treat them as Public or Guest

Directly access AWS Simple Storage Service (S3) from the mobile application

We do not want to upload to a server and then have the server push the file to S3

Requirements: We need to authenticate the application on the mobile device

We do not want to bake the AWS credentials in our mobile app!

Even though users are anonymous, we still want to control access to AWS

First App: Basic Download/Upload App

v

Mobile App

S3 Bucket with test media

Cognito Identity

First App: Basic Download/Upload App

v

Amazon Cognito

Granting guest access to our Public users for controlled access to AWS resources

v

Cognito Identity Example Cognito Identity for Guests Cognito assigns a unique identifier for each device when a user is not logged on

Cognito Identity for Authenticated Users Cognito assigns a unique identifier for each user when they are authenticated. This will be the same identifier for this user regardless of which device they use

v

Cognito setup

v

Create a new Cognito Identity Pool

v


Supplying public identity providers is optional For this demo, we will not be supporting public identity providers, so we leave them empty

v


Enable guest access For this demo, we will allow anonymous access so that unauthenticated users can upload and download from our S3 bucket

v


Create IAM Roles Create IAM roles for this Cognito Identity Pool. We will assign tight security controls to these roles later

v


And assign a role for unauthenticated access

v


Starter code samples Cognito conveniently provides starter code for you for Android, iOS and .Net! This is an example of how you can easily connect your app to Cognito

v

Setup the required permissions in IAM

v


Note the default policy

v


Default policy created by Cognito By default, access to Cognito Sync and Mobile Analytics is permitted. This policy has been generated by the Cognito Create Identity Pool wizard

v

Media in our S3 bucket S3 Bucket contents Test file that we will be downloading via the TransferManager S3 connector

v S3 Bucket ACLs Note that the ACLs on the bucket do not permit Public so the asset is not world-accessible

Media in our S3 bucket

v

Lets give the anonymous guest access to our S3 bucket for read and write

v


Use the Policy Generator Well create our specific S3-related policy using the Policy Generator

v


Specify our bucket Our policy will specify access for our specific bucket. Well allow GetObject and PutObject

v


Resulting Policy Document Heres what the resulting policy looks like for allowing READ access to any object in the specific bucket, and the ability to WRITE any object

v

Were now set up lets start coding!

v

Instantiate Cognito Credentials Provider

Give Cognito your details Account Id

Identity Pool ARN

UnAuthenticated access Role ARN

Authenticated access Role ARN

The Region you are running Cognito in

v

Implementation Note! This Cognito class is just my convenience wrapper! I have chosen to implement this as a Singleton at App-scope

Your implementation may be different The only important thing is that you instantiate a CognitoCachingCredentialsProvider

v

S3 Connector

Multipart upload media (photos, videos, audio) Fault tolerant download (e.g. assets) No backend required Automatic retries Pause, resume, cancel functions Optimized for native OS

Amazon S3 Connector: Transfer Manager

v

Pass Cognito Credentials to the AWS S3 Transfer Manager constructor

Pass the Cognito Provider to the TransferManager S3 connector to construct based on the Cognito-acquired AWS credentials

v

Set up the download request and go!

Initiate the download

v

Demo App

First, the Application instantiates a CognitoCachingCredentialsProvider()

Then initiates a download, followed by an upload

v









q Convert uploaded video files to various mobile/web formats

v

Amazon Cognito

Now lets authenticate our users via public identity providers

v

Goals: User can be anonymous or they can choose to sign-in via Facebook

If they are anonymous, we let them see a Public view of the media library

If they choose to sign-in, we let them see their own Private view of the library

Requirements: We will use Cognito to help with the Public and Private authentication

Again, no AWS credentials in our mobile app!

We want to enforce Fine-Grained Access Control on the database views

Implement Public & Private views

v

User ID (Temp

Credentials)

DynamoDB

End Users

Developer

App w/SDK Access

to AWS Services

Cognito Identity Broker

Login OAUTH/OpenID Access Token

Cognito ID, Temp

Credentials

S3

Mobile Analytics

Cognito Sync Store

AWS Management

Console

Access Token Pool ID

Role ARNs

Amazon Cognito Security Architecture

v

Raw DynamoDB records example

Range Key Each OwnerId has multiple Filenames

Hash Key Each OwnerId identifies a user by their Cognito identity, or public if they didnt log on to Facebook

v


Inventory is partitioned based on the OwnerId public is accessible to the guest Cognito Identity Anything else must match the identity of the user accessing the application

Assigned by Cognito automatically

v

Use the DynamoDB Mapper

Use the DynamoDB Mapper annotations to decorate your value object Specify the HashKey, RangeKey and the individual Attributes in your value object that should map to columns in the DynamoDB table

v

For this demo, well use Facebook as our Public Identity Provider

v

Mobile App

DynamoDB

Implement Public & Private views

OAUTH/OpenID Access Token

Cognito Identity Broker

Cognito ID, Temp

Credentials

Query for results filtered by OwnerId

v

Great how-to https://developers.facebook.com/docs/android/getting-started

Using Facebook in your App

v

Create an App on Facebook

v

Create an App on Facebook

Cognito needs the App ID The App ID from Facebook is what binds the Identity Pool to the Facebook application

v

Configure Cognito to use Facebook

v

Add an Android application to FB

v

Add an Android application to FB

Generate your signing hash from your development environment check the documentation

v


v

Secure access to DynamoDB

Simply instantiate the AmazonDynamoDBClient and specify your Cognito provider as the credential provider in the constructor

v

Querying the DynamoDB table from code

Querying the DynamoDB table is simple! The DynamoDB Mapper will map the columns in the table to the fields in your value object and return a typed list of records ready to iterate

v

Demo App

Guest access

Connects to Cognito as anonymous user

Gets AWS token and uses that to instantiate a DynamoDB client

Queries DynamoDB using the key public

Authenticated access

Gets token from Facebook

Passes token to Cognito

Impersonates authenticated user

Queries DynamoDB using the key that matches the Cognito Identity of this user

v


Inventory is partitioned based on the OwnerId public is accessible to the guest Cognito Identity Anything else must match the identity of the user accessing the application

v

FGAC on DynamoDB using IAM Fine-Grained Access Control (FGAC)

Restrict which Actions can be called by the user

Restrict which DynamoDB Tables can be accessed by the user

Restrict which rows in the table are accessible by the user

Control which fields are accessible in the query results

v

FGAC on DynamoDB using IAM

Control the actions the user can invoke

The Unauthenticated Role Policy

v


Control the DynamoDB Table the user can access


v


Restrict the Rows in the DynamoDB table the user can access


v


Use the Cognito Id for this user to restrict the rows that will be accessible to the user

The Authenticated Role Policy

v










v

Amazon SNS

Push Notifications

v Each platform works differently, and push gets even more complex as you scale to support millions of devices.

Cloud App

Platform Services Mobile Apps

SNS application targets

v

Amazon SNSCross-platform

Mobile Push

Apple APNS

Google GCM

Amazon ADM

Windows WNS and MPNS

Baidu CP

With Amazon SNS, developers can send push notifications on multiple platforms and reach mobile users around the world

Android Phones and Tablets

Apple iPhones and iPads

Kindle Fire Devices

Android Phones and Tablets in China

Windows Desktop and Phones

SNS application targets

Your applicationback-end

v

Goals: Application automatically registers with Google Cloud Messaging (GCM)

The device registration Id is then sent to SNS to register as a device endpoint

The application then subscribes that device endpoint to a well-known SNS topic

This topic is shared by all other devices using the application

The application then confirms SNS Push Notifications are working by sending a message to itself via SNS. The user sees a pop-up message.

Later, whenever a message is sent to the shared SNS Topic, all devices subscribed receive a pop-up notification

Next App: SNS Push Notification App

v

Mobile App

Next App: SNS Push Notification App

SNS Topic

SNS Application

ENDPOINT APP

TOPIC

Cognito

Create Platform Endpoint

Subscribe to topic

Publish test message to our

Endpoint

Push notification from GCM

SNS

v

Setup Amazon SNS

v

On the SNS Dashboard, create a new Topic

v

Note the Topics ARN We will need this in our code to subscribe the device to the topic so we can receive notifications

On the SNS Dashboard, create a new Topic

v

Create a Google API Project and obtain the Google Project ID

v

Enable GCM for Android

v

Create the Server API Key

v

Obtain the Server API Key from Google

v

On the SNS Dashboard, create a new App

v

Specify the API Key you got from Google

v

Note the ARN for this SNS Application

v


v

Instantiate Cognito Credentials Provider

Give Cognito your details Account Id

Identity Pool ARN

UnAuthenticated access Role ARN

Authenticated access Role ARN

The Region you are running Cognito in

v

Again, this Cognito class is just my convenience wrapper implemented as a Singleton

Instantiate SNS using Credentials from Cognito

v

Get the device registration ID from GCM

Were requesting the device identifier/token for this unique device, against the Google Project Id we created earlier

v

And register this device with the SNS App

The deviceIdentifier is the device token returned from GCM for this unique device

v

Finally, subscribe the endpoint to the Topic

The endpoint is the ARN you got back from the previous call to getEndpointArn()

v

Demo App

At startup, we register this device with the SNS Application

Then we subscribe this device Endpoint to the global SNS Topic

We then send a test message from the device to ourselves to confirm the round trip is working

If we subsequently publish to the global SNS Topic, all devices subscribed will be notified

v









v

How did we initiate the sending of the Push Notification to the

global SNS Topic?

But wait!

v

Demo web page to send Push Notifications

Plain old Javascript and HTML! The website is a standard HTML site with Javascript. It is being served from S3, so no back-end servers The magic comes from the AWS Javascript SDK

v


Topic ARN This is the topic we subscribed our application to when it started up

Cognito Role This is the IAM role we want to use were using the unauthenticated guest role in this demo

Cognito Identity Pool ID This is the specific Cognito pool we want to use for authentication

v


v

Amazon Cognito

Sharing data between devices

v Goals:

User is authenticated with Facebook

Each time they modify gadgets in the app, the state of the gadgets is synchronized with all other devices using the application (for that user account)

Verify these shared data changes in a companion web page, where the user is also authenticated with Facebook, and is the same user principal

Next App: Shared application data

v

Add a Web application to FB

v

Add a Web application to FB

S3 bucket name Were using S3 to serve the web site in this example, but you can use CloudFront, or EC2, or use a CNAME

v

Javascript code to read Cognito Sync Data

Instantiate the CognitoSync object It will inherit the Cognito credentials from those we obtained earlier from our call to CognitoIdentityCredentials()

v


Specify our parameters We need to specify the DatasetName that we want to connect to, and the Cognito Identity information as shown

v


Call CognitoSync::listRecords() and provide our params and a callback

v


OnSuccess() iterate the results and do something interesting with the data records

v

Demo App Web Page The web page has access to the shared data when authenticated as the Facebook User

Mobile application

and the mobile application has access to

the same shared data if the user is logged on to Facebook as the same

user

v










v

We covered a lot of ground in this deep-dive session!

v Amazon Cognito

Amazon SNS Mobile Push

DynamoDB Connector

S3 Connector

SQS Connector

User identity & data synchronization service

Store any NoSQL data and also map mobile OS specific objects to DynamoDB tables

Powerful Cross-platform Push notification service

Easily upload, download to S3 and also pause, resume, and cancel these operations

Access distributed buffering and queuing service

AWS Mobile Services

v Amazon S3

Amazon Elastic Transcode Service

Amazon CloudFront

Amazon Elastic Beanstalk

Amazon Identity and Access Management

Online file storage web service

Content Delivery Network (CDN)

Highly scalable, media transcoding in the cloud

Platform as a Service (PaaS)

Securely control access to AWS services and resources for your users

AWS Services & Features

v Fully integrated AWS mobile SDK

Cross-platform,

optimized for mobile

Automatically handles intermittent and latent

network

AWS Mobile SDK

Reduced memory footprint Common authentication method across all services

Online Labs | Training

Gain condence and hands-on experience with AWS. Watch free

Instruc;onal Videos and explore Self-Paced Labs

Instructor Led Classes

Learn how to design, deploy and operate highly available, cost-eec;ve and

secure applica;ons on AWS in courses led by qualied AWS instructors

Validate your technical exper;se with AWS and use prac;ce exams

to help you prepare for AWS Cer;ca;on

AWS Cer9ca9on

h

v

Thank You

mobile application development

Mobile

mobile apps

mobile application v

aws mobile sdk v

device app aws mobile

mobile devices q st

services v

media apps

active users