Mobile Application Development

v

Building Mobile and Web
Apps using the AWS Mobile
and Javascript SDKs
Parijat Mishra | Solutions Architect | Amazon Web Services
parijat@amazon.com

v

In this session, we’ll be creating Android apps
to demonstrate various features of AWS

v

How do we build mobile apps today?

v

Authenticate users
Authorize access
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Store shared data
Stream real-time dataTrack Retention
Send push notifications
Manage users and
identity providers
Securely access
cloud resources
Sync user prefs
across devices
Track active users,
engagement
Manage funnels,
Campaign performances
Store user-generated photos
Media and share them
Automatically detect mobile devices
Deliver content quickly globally
Bring users back to your app by sending
messages reliably
Store and query fast NoSQL data
across users and devices
Collect real-time clickstream
logs and take actions
quickly
Your
Mobile
App
Your mobile
application

v

Introducing AWS Mobile Services
Amazon Cognito Amazon Mobile Analytics Amazon SNS Mobile Push
Kinesis Connector DynamoDB Connector S3 Connector SQS Connector SES Connector
AWS Global Infrastructure (11 Regions, 28 Availability Zones, 52 Edge Locations)
Core Building Block
Services
Mobile Optimized
Connectors
Mobile Optimized
Services
Your Mobile App, Game or Device App
AWS Mobile SDK, API Endpoints, Management Console
Compute Storage Networking Analytics Databases
Integrated SDK

v

Fully integrated AWS
mobile SDK
Cross-platform,
optimized for mobile
Automatically handles
intermittent and latent
network
AWS Mobile SDK
Reduced memory footprint
Common authentication
method across all services

v

Authenticate users
Authorize access
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Store shared data
Stream real-time dataTrack Retention
Send push notifications
Amazon Cognito
(Identity broker)
AWS Identity and
Access Management
Amazon Cognito
(Sync)
Amazon Mobile
Analytics
Amazon Mobile
Analytics
Amazon S3
Transfer Manager
Amazon CloudFront
(Device Detection)
Amazon SNS
Mobile Push
Amazon DynamoDB
(Object Mapper)
Amazon Kinesis
(Recorder)
Your mobile
application
with the AWS
Mobile SDK

v

Let’s build a Media App!
What should it do?

v

Our Media App’s wish-list of features
q  Upload & Download media files to/from S3 buckets
q  Grant anonymous but secure access to AWS resources in our account
q  Grant authenticated access for users that log in via Public Identity Providers
q  Send push notifications to mobile devices
q  Store the media library inventory in the cloud so it can be queried by many users
q  Provide partitioned access to the media library based on Public and Private views
q  Synchronise user data across devices
q  Make all this available across devices (iOS, Android, Kindle) and web

v

•  Goals:
•  User is anonymous – we don’t care who they are, treat them as ‘Public’ or ‘Guest’
•  Directly access AWS Simple Storage Service (S3) from the mobile application
•  We do not want to upload to a server and then have the server push the file to S3…
•  Requirements:
•  We need to authenticate the application on the mobile device
•  We do not want to bake the AWS credentials in our mobile app!
•  Even though users are anonymous, we still want to control access to AWS
First App: Basic Download/Upload App

v

Mobile App
S3 Bucket with
test media
Cognito Identity
First App: Basic Download/Upload App

v

Amazon Cognito
Granting ‘guest’ access to our
‘Public’ users for controlled access to AWS resources

v

Cognito Identity Example
Cognito Identity for Guests
Cognito assigns a unique identifier for each
device when a user is not logged on
Cognito Identity for Authenticated Users
Cognito assigns a unique identifier for each user
when they are authenticated. This will be the
same identifier for this user regardless of which
device they use

v

Create a new Cognito Identity Pool

v

Supplying public identity
providers is optional
For this demo, we will not be
supporting public identity
providers, so we leave them empty

v

Enable guest access
For this demo, we will allow ‘anonymous access’
so that unauthenticated users can upload and
download from our S3 bucket

v

Create IAM Roles
Create IAM roles for
this Cognito Identity
Pool. We will assign
tight security controls
to these roles later

v

And assign a role for
unauthenticated access

v

Starter code samples
Cognito conveniently
provides starter code for you
for Android, iOS and .Net!
This is an example of how
you can easily connect your
app to Cognito

v

Setup the required permissions in IAM

v

Note the default policy

v

Default policy created by
Cognito
By default, access to Cognito
Sync and Mobile Analytics is
permitted. This policy has been
generated by the Cognito Create
Identity Pool wizard

v

Media in our S3 bucket
S3 Bucket contents
Test file that we will be
downloading via the
TransferManager S3 connector

v

S3 Bucket ACLs
Note that the ACLs on the bucket
do not permit ‘Public’ so the asset
is not world-accessible
Media in our S3 bucket

v

Let’s give the anonymous ‘guest’ access to our
S3 bucket for read and write

v

Use the Policy Generator
We’ll create our specific S3-
related policy using the Policy
Generator

v

Specify our bucket
Our policy will specify access for
our specific bucket. We’ll allow
GetObject and PutObject

v

Resulting Policy Document
Here’s what the resulting policy
looks like for allowing READ
access to any object in the
specific bucket, and the ability to
WRITE any object

v

We’re now set up – let’s start coding!

v

Instantiate Cognito Credentials Provider
Give Cognito your details
•  Account Id
•  Identity Pool ARN
•  UnAuthenticated access Role ARN
•  Authenticated access Role ARN
•  The Region you are running Cognito in

v

Implementation Note!
This ‘Cognito’ class is just
my convenience wrapper!
I have chosen to implement
this as a Singleton at
App-scope
Your implementation may
be different
The only important thing is
that you instantiate a
CognitoCachingCredentialsProvider

v

S3 Connector
•  Multipart upload media (photos, videos, audio)
•  Fault tolerant download (e.g. assets)
•  No backend required
•  Automatic retries
•  Pause, resume, cancel functions
•  Optimized for native OS
Amazon S3 Connector: Transfer Manager

v

Pass Cognito Credentials to the
AWS S3 Transfer Manager constructor
Pass the Cognito Provider to the TransferManager S3
connector to construct based on the Cognito-acquired
AWS credentials

v

Set up the download request and go!
Initiate the download

v

Demo App
First, the Application instantiates a
CognitoCachingCredentialsProvider()
Then initiates a download, followed by an upload

v

Our Media App’s wish-list of features
q  Upload & Download media files to/from S3 buckets
q  Grant anonymous but secure access to AWS resources in our account
q  Grant authenticated access for users that log in via Public Identity Providers
q  Send push notifications to mobile devices
q  Store the media library inventory in the cloud so it can be queried by many users
q  Provide partitioned access to the media library based on Public and Private views
q  Synchronise user data across devices
q  Make all this available across devices (iOS, Android, Kindle) and web
q  Convert uploaded video files to various mobile/web formats

v

Amazon Cognito
Now let’s authenticate our users
via public identity providers

v

•  Goals:
•  User can be anonymous or they can choose to sign-in via Facebook
•  If they are anonymous, we let them see a ‘Public’ view of the media library
•  If they choose to sign-in, we let them see their own ‘Private’ view of the library
•  Requirements:
•  We will use Cognito to help with the Public and Private authentication
•  Again, no AWS credentials in our mobile app!
•  We want to enforce Fine-Grained Access Control on the database views
Implement Public & Private views

v

User ID
(Temp
Credentials)
DynamoDB
End Users
Developer
App w/SDK
Access
to AWS Services
Cognito Identity
Broker
Login OAUTH/OpenID
Access Token
Cognito ID,
Temp
Credentials
S3
Mobile Analytics
Cognito Sync
Store
AWS
Management
Console
Access Token
Pool ID
Role ARNs
Amazon Cognito Security Architecture

v

Raw DynamoDB records example
Range Key
Each OwnerId
has multiple
Filenames
Hash Key
Each OwnerId
identifies a user by
their Cognito identity,
or ‘public’ if they didn’t
log on to Facebook

v

Inventory is partitioned
based on the OwnerId
‘public’ is accessible
to the ‘guest’
Cognito Identity
Anything else must
match the identity of
the user accessing
the application
Assigned by
Cognito
automatically

v

Use the DynamoDB Mapper
Use the DynamoDB Mapper
annotations to decorate
your value object
Specify the HashKey,
RangeKey and the individual
Attributes in your value object
that should map to columns in
the DynamoDB table

v

For this demo, we’ll use Facebook as our
Public Identity Provider

v

Mobile App
DynamoDB
Implement Public & Private views
OAUTH/OpenID
Access Token
Cognito Identity
Broker
Cognito ID,
Temp
Credentials
Query for results
filtered by
OwnerId

v

•  Great how-to
https://developers.facebook.com/docs/
android/getting-started
Using Facebook in your App

v

Create an App on Facebook

v

Create an App on Facebook
Cognito needs the App ID
The App ID from Facebook is what
binds the Identity Pool to the
Facebook application

v

Configure Cognito to use Facebook

v

Add an Android application to FB

v

Add an Android application to FB
Generate your signing hash from your development
environment – check the documentation…

v

Secure access to DynamoDB
Simply instantiate the
AmazonDynamoDBClient and
specify your Cognito provider as
the credential provider in the
constructor

v

Querying the DynamoDB table from code
Querying the DynamoDB table is
simple!
The DynamoDB Mapper will map the
columns in the table to the fields in
your value object and return a typed
list of records ready to iterate

v

Demo App
Guest access
•  Connects to Cognito as anonymous user
•  Gets AWS token and uses that to instantiate
a DynamoDB client
•  Queries DynamoDB using the key ‘public’
Authenticated access
•  Gets token from Facebook
•  Passes token to Cognito
•  Impersonates authenticated user
•  Queries DynamoDB using the key that matches
the Cognito Identity of this user

v

Inventory is partitioned
based on the OwnerId
‘public’ is accessible
to the ‘guest’
Cognito Identity
Anything else must
match the identity of
the user accessing
the application

v

FGAC on DynamoDB using IAM
Fine-Grained Access Control (FGAC)
•  Restrict which Actions can be called by the user
•  Restrict which DynamoDB Tables can be accessed by the user
•  Restrict which rows in the table are accessible by the user
•  Control which fields are accessible in the query results

v

Control the actions the user
can invoke
The “Unauthenticated”
Role Policy

v

Control the DynamoDB Table
the user can access
Role Policy

v

Restrict the Rows in the DynamoDB
table the user can access
Role Policy

v

Use the Cognito Id for this user to restrict
the rows that will be accessible to the user
The “Authenticated”
Role Policy

v

Amazon SNS
Push Notifications

v

Each platform works differently, and push gets even more complex as you
scale to support millions of devices.
Cloud App
Platform Services Mobile Apps
SNS application targets

v

Amazon SNS
Cross-platform 
Mobile Push
Apple APNS
Google GCM
Amazon ADM
Windows WNS and MPNS
Baidu CP
With Amazon SNS, developers can send push notifications on multiple
platforms and reach mobile users around the world
Android Phones and Tablets
Apple iPhones and iPads
Kindle Fire Devices
Android Phones and Tablets in China
Windows Desktop and Phones
SNS application targets
Your application 
back-end

v

•  Goals:
•  Application automatically registers with Google Cloud Messaging (GCM)
•  The device registration Id is then sent to SNS to register as a device endpoint
•  The application then subscribes that device endpoint to a well-known SNS topic
This topic is shared by all other devices using the application
•  The application then confirms SNS Push Notifications are working by sending
a message to itself via SNS. The user sees a pop-up message.
•  Later, whenever a message is sent to the shared SNS Topic,
all devices subscribed receive a pop-up notification
Next App: SNS Push Notification App

v

Mobile App
Next App: SNS Push Notification App
SNS Topic
SNS Application
ENDPOINT APP
TOPIC
Cognito
Create Platform
Endpoint
Subscribe to topic
Publish test
message to our
Endpoint
Push notification
from GCM
SNS

v

On the SNS Dashboard, create a new Topic

v

Note the Topic’s ARN
We will need this in our code to
subscribe the device to the topic
so we can receive notifications
On the SNS Dashboard, create a new Topic

v

Create a Google API Project
and obtain the Google Project ID

v

Create the Server API Key

v

Obtain the Server API Key from Google

v

On the SNS Dashboard, create a new App

v

Specify the API Key you got from Google

v

Note the ARN for this SNS Application

v

Again, this ‘Cognito’ class is just my convenience wrapper
implemented as a Singleton
Instantiate SNS using Credentials from Cognito

v

Get the device registration ID from GCM
We’re requesting the device
identifier/token for this unique
device, against the Google
Project Id we created earlier

v

And register this device with the SNS App
The ‘deviceIdentifier’
is the device
token returned
from GCM for
this unique
device

v

Finally, subscribe the endpoint to the Topic
The endpoint is the ARN you got
back from the previous call to
getEndpointArn()

v

Demo App
At startup, we register this device
with the SNS Application
Then we subscribe this device
Endpoint to the global SNS Topic
We then send a test message from
the device to ourselves to confirm
the round trip is working
If we subsequently publish to the
global SNS Topic, all devices
subscribed will be notified

v

How did we initiate the
sending of the Push Notification to the
global SNS Topic?
But wait!

v

Demo web page to send Push Notifications
Plain old Javascript and HTML!
The website is a standard HTML site with Javascript. It is
being served from S3, so no back-end servers
The magic comes from the AWS Javascript SDK

v

Topic ARN
This is the topic we subscribed
our application to when
it started up
Cognito Role
This is the IAM role we want to use –
we’re using the unauthenticated ‘guest’
role in this demo
Cognito Identity Pool ID
This is the specific Cognito pool
we want to use for authentication

v


v

Amazon Cognito
Sharing data between devices

v
•  Goals:
•  User is authenticated with Facebook
•  Each time they modify gadgets in the app, the state of the
gadgets is synchronized with all other devices
using the application (for that user account)
•  Verify these shared data changes in a companion web page, where the
user is also authenticated with Facebook, and is the same user principal
Next App: Shared application data

v

Add a Web application to FB

v

Add a Web application to FB
S3 bucket name
We’re using S3 to serve the web site in this example, but
you can use CloudFront, or EC2, or use a CNAME

v

Javascript code to read Cognito Sync Data
Instantiate the CognitoSync object
It will inherit the Cognito credentials from those we obtained
earlier from our call to CognitoIdentityCredentials()

v

Specify our parameters
We need to specify the DatasetName that we want to connect to,
and the Cognito Identity information as shown

v

Call CognitoSync::listRecords()
…and provide our params and a
callback

v

OnSuccess()
…iterate the results and do something
interesting with the data records

v

Demo App Web Page
The web page has access
to the shared data when
authenticated as the
Facebook User
Mobile application
…and the mobile
application has access to
the same shared data if
the user is logged on to
Facebook as the same
user

v

We covered a lot of ground
in this deep-dive session!

v

Amazon Cognito
Amazon SNS Mobile Push
DynamoDB Connector
S3 Connector
SQS Connector
User identity &
data synchronization
service
Store any NoSQL data and
also map mobile OS specific
objects to DynamoDB tables
Powerful Cross-platform
Push notification service
Easily upload, download to S3 and
also pause, resume, and cancel
these operations
Access distributed buffering
and queuing service
AWS Mobile Services

v

Amazon S3
Amazon Elastic Transcode Service
Amazon CloudFront
Amazon Elastic Beanstalk
Amazon Identity and Access Management
Online file storage
web service
Content Delivery Network
(CDN)
Highly scalable,
media transcoding
in the cloud
Platform as a Service (PaaS)
Securely control access to
AWS services and resources
for your users
AWS Services & Features

Online
Labs
|
Training

Gain
confidence
and
hands-‐on

experience
with
AWS.
Watch
free

Instruc;onal
Videos
and
explore
Self-‐
Paced
Labs

Instructor
Led
Classes

Learn
how
to
design,
deploy
and
operate

highly
available,
cost-‐effec;ve
and

secure
applica;ons
on
AWS
in
courses

led
by
qualified
AWS
instructors

Validate
your
technical
exper;se

with
AWS
and
use
prac;ce
exams

to
help
you
prepare
for
AWS

Cer;fica;on

AWS
Cer9fica9on

h<p://aws.amazon.com/training

Mobile Application Development

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Viewers also liked

Viewers also liked (20)

Similar to Mobile Application Development

Similar to Mobile Application Development (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Mobile Application Development