Mobile Application Development

1. v Building Mobile and Web Apps using the AWS Mobile and Javascript SDKs Parijat Mishra | Solutions Architect | Amazon Web Services parijat@amazon.com

2. v In this session, we’ll be creating Android apps to demonstrate various features of AWS

3. v How do we build mobile apps today?

4. v Authenticate users Authorize access Analyze User Behavior Store and share media Synchronize data Deliver media Store shared data Stream real-time dataTrack Retention Send push notifications Manage users and identity providers Securely access cloud resources Sync user prefs across devices Track active users, engagement Manage funnels, Campaign performances Store user-generated photos Media and share them Automatically detect mobile devices Deliver content quickly globally Bring users back to your app by sending messages reliably Store and query fast NoSQL data across users and devices Collect real-time clickstream logs and take actions quickly Your Mobile App Your mobile application

5. v Introducing AWS Mobile Services Amazon Cognito Amazon Mobile Analytics Amazon SNS Mobile Push Kinesis Connector DynamoDB Connector S3 Connector SQS Connector SES Connector AWS Global Infrastructure (11 Regions, 28 Availability Zones, 52 Edge Locations) Core Building Block Services Mobile Optimized Connectors Mobile Optimized Services Your Mobile App, Game or Device App AWS Mobile SDK, API Endpoints, Management Console Compute Storage Networking Analytics Databases Integrated SDK

6. v Fully integrated AWS mobile SDK Cross-platform, optimized for mobile Automatically handles intermittent and latent network AWS Mobile SDK Reduced memory footprint Common authentication method across all services

7. v Authenticate users Authorize access Analyze User Behavior Store and share media Synchronize data Deliver media Store shared data Stream real-time dataTrack Retention Send push notifications Manage users and identity providers Securely access cloud resources Sync user prefs across devices Track active users, engagement Manage funnels, Campaign performances Store user-generated photos Media and share them Automatically detect mobile devices Deliver content quickly globally Bring users back to your app by sending messages reliably Store and query fast NoSQL data across users and devices Collect real-time clickstream logs and take actions quickly Your Mobile App Your mobile application

8. v Authenticate users Authorize access Analyze User Behavior Store and share media Synchronize data Deliver media Store shared data Stream real-time dataTrack Retention Send push notifications Amazon Cognito (Identity broker) AWS Identity and Access Management Amazon Cognito (Sync) Amazon Mobile Analytics Amazon Mobile Analytics Amazon S3 Transfer Manager Amazon CloudFront (Device Detection) Amazon SNS Mobile Push Amazon DynamoDB (Object Mapper) Amazon Kinesis (Recorder) Your mobile application with the AWS Mobile SDK

9. v Let’s build a Media App! What should it do?

10. v Our Media App’s wish-list of features q  Upload & Download media files to/from S3 buckets q  Grant anonymous but secure access to AWS resources in our account q  Grant authenticated access for users that log in via Public Identity Providers q  Send push notifications to mobile devices q  Store the media library inventory in the cloud so it can be queried by many users q  Provide partitioned access to the media library based on Public and Private views q  Synchronise user data across devices q  Make all this available across devices (iOS, Android, Kindle) and web

11. v •  Goals: •  User is anonymous – we don’t care who they are, treat them as ‘Public’ or ‘Guest’ •  Directly access AWS Simple Storage Service (S3) from the mobile application •  We do not want to upload to a server and then have the server push the file to S3… •  Requirements: •  We need to authenticate the application on the mobile device •  We do not want to bake the AWS credentials in our mobile app! •  Even though users are anonymous, we still want to control access to AWS First App: Basic Download/Upload App

12. v Mobile App S3 Bucket with test media Cognito Identity First App: Basic Download/Upload App

13. v Amazon Cognito Granting ‘guest’ access to our ‘Public’ users for controlled access to AWS resources

14. v Cognito Identity Example Cognito Identity for Guests Cognito assigns a unique identifier for each device when a user is not logged on Cognito Identity for Authenticated Users Cognito assigns a unique identifier for each user when they are authenticated. This will be the same identifier for this user regardless of which device they use

15. v Cognito setup

16. v Create a new Cognito Identity Pool

17. v Create a new Cognito Identity Pool Supplying public identity providers is optional For this demo, we will not be supporting public identity providers, so we leave them empty

18. v Create a new Cognito Identity Pool Enable guest access For this demo, we will allow ‘anonymous access’ so that unauthenticated users can upload and download from our S3 bucket

19. v Create a new Cognito Identity Pool Create IAM Roles Create IAM roles for this Cognito Identity Pool. We will assign tight security controls to these roles later

20. v Create a new Cognito Identity Pool And assign a role for unauthenticated access

21. v Create a new Cognito Identity Pool Starter code samples Cognito conveniently provides starter code for you for Android, iOS and .Net! This is an example of how you can easily connect your app to Cognito

22. v Setup the required permissions in IAM

23. v Setup the required permissions in IAM Note the default policy

24. v Setup the required permissions in IAM Default policy created by Cognito By default, access to Cognito Sync and Mobile Analytics is permitted. This policy has been generated by the Cognito Create Identity Pool wizard

25. v Media in our S3 bucket S3 Bucket contents Test file that we will be downloading via the TransferManager S3 connector

26. v S3 Bucket ACLs Note that the ACLs on the bucket do not permit ‘Public’ so the asset is not world-accessible Media in our S3 bucket

27. v Let’s give the anonymous ‘guest’ access to our S3 bucket for read and write

28. v Setup the required permissions in IAM Use the Policy Generator We’ll create our specific S3- related policy using the Policy Generator

29. v Setup the required permissions in IAM Specify our bucket Our policy will specify access for our specific bucket. We’ll allow GetObject and PutObject

30. v Setup the required permissions in IAM Resulting Policy Document Here’s what the resulting policy looks like for allowing READ access to any object in the specific bucket, and the ability to WRITE any object

31. v We’re now set up – let’s start coding!

32. v Instantiate Cognito Credentials Provider Give Cognito your details •  Account Id •  Identity Pool ARN •  UnAuthenticated access Role ARN •  Authenticated access Role ARN •  The Region you are running Cognito in

33. v Implementation Note! This ‘Cognito’ class is just my convenience wrapper! I have chosen to implement this as a Singleton at App-scope Your implementation may be different The only important thing is that you instantiate a CognitoCachingCredentialsProvider

34. v S3 Connector •  Multipart upload media (photos, videos, audio) •  Fault tolerant download (e.g. assets) •  No backend required •  Automatic retries •  Pause, resume, cancel functions •  Optimized for native OS Amazon S3 Connector: Transfer Manager

35. v Pass Cognito Credentials to the AWS S3 Transfer Manager constructor Pass the Cognito Provider to the TransferManager S3 connector to construct based on the Cognito-acquired AWS credentials

36. v Set up the download request and go! Initiate the download

37. v Demo App First, the Application instantiates a CognitoCachingCredentialsProvider() Then initiates a download, followed by an upload

38. v Our Media App’s wish-list of features q  Upload & Download media files to/from S3 buckets q  Grant anonymous but secure access to AWS resources in our account q  Grant authenticated access for users that log in via Public Identity Providers q  Send push notifications to mobile devices q  Store the media library inventory in the cloud so it can be queried by many users q  Provide partitioned access to the media library based on Public and Private views q  Synchronise user data across devices q  Make all this available across devices (iOS, Android, Kindle) and web q  Convert uploaded video files to various mobile/web formats

39. v Amazon Cognito Now let’s authenticate our users via public identity providers

40. v •  Goals: •  User can be anonymous or they can choose to sign-in via Facebook •  If they are anonymous, we let them see a ‘Public’ view of the media library •  If they choose to sign-in, we let them see their own ‘Private’ view of the library •  Requirements: •  We will use Cognito to help with the Public and Private authentication •  Again, no AWS credentials in our mobile app! •  We want to enforce Fine-Grained Access Control on the database views Implement Public & Private views

41. v User ID (Temp Credentials) DynamoDB End Users Developer App w/SDK Access to AWS Services Cognito Identity Broker Login OAUTH/OpenID Access Token Cognito ID, Temp Credentials S3 Mobile Analytics Cognito Sync Store AWS Management Console Access Token Pool ID Role ARNs Amazon Cognito Security Architecture

42. v Raw DynamoDB records example Range Key Each OwnerId has multiple Filenames Hash Key Each OwnerId identifies a user by their Cognito identity, or ‘public’ if they didn’t log on to Facebook

43. v Raw DynamoDB records example Inventory is partitioned based on the OwnerId ‘public’ is accessible to the ‘guest’ Cognito Identity Anything else must match the identity of the user accessing the application Assigned by Cognito automatically

44. v Use the DynamoDB Mapper Use the DynamoDB Mapper annotations to decorate your value object Specify the HashKey, RangeKey and the individual Attributes in your value object that should map to columns in the DynamoDB table

45. v For this demo, we’ll use Facebook as our Public Identity Provider

46. v Mobile App DynamoDB Implement Public & Private views OAUTH/OpenID Access Token Cognito Identity Broker Cognito ID, Temp Credentials Query for results filtered by OwnerId

47. v •  Great how-to https://developers.facebook.com/docs/ android/getting-started Using Facebook in your App

48. v Create an App on Facebook

49. v Create an App on Facebook

50. v Create an App on Facebook Cognito needs the App ID The App ID from Facebook is what binds the Identity Pool to the Facebook application

51. v Configure Cognito to use Facebook

52. v Add an Android application to FB

53. v Add an Android application to FB

54. v Add an Android application to FB Generate your signing hash from your development environment – check the documentation…

56. v Secure access to DynamoDB Simply instantiate the AmazonDynamoDBClient and specify your Cognito provider as the credential provider in the constructor

57. v Querying the DynamoDB table from code Querying the DynamoDB table is simple! The DynamoDB Mapper will map the columns in the table to the fields in your value object and return a typed list of records ready to iterate

58. v Demo App Guest access •  Connects to Cognito as anonymous user •  Gets AWS token and uses that to instantiate a DynamoDB client •  Queries DynamoDB using the key ‘public’ Authenticated access •  Gets token from Facebook •  Passes token to Cognito •  Impersonates authenticated user •  Queries DynamoDB using the key that matches the Cognito Identity of this user

59. v Raw DynamoDB records example Inventory is partitioned based on the OwnerId ‘public’ is accessible to the ‘guest’ Cognito Identity Anything else must match the identity of the user accessing the application

60. v FGAC on DynamoDB using IAM Fine-Grained Access Control (FGAC) •  Restrict which Actions can be called by the user •  Restrict which DynamoDB Tables can be accessed by the user •  Restrict which rows in the table are accessible by the user •  Control which fields are accessible in the query results

61. v FGAC on DynamoDB using IAM Control the actions the user can invoke The “Unauthenticated” Role Policy

62. v FGAC on DynamoDB using IAM Control the DynamoDB Table the user can access The “Unauthenticated” Role Policy

63. v FGAC on DynamoDB using IAM Restrict the Rows in the DynamoDB table the user can access The “Unauthenticated” Role Policy

64. v FGAC on DynamoDB using IAM Use the Cognito Id for this user to restrict the rows that will be accessible to the user The “Authenticated” Role Policy

66. v Amazon SNS Push Notifications

67. v Each platform works differently, and push gets even more complex as you scale to support millions of devices. Cloud App Platform Services Mobile Apps SNS application targets

68. v Amazon SNS Cross-platform  Mobile Push Apple APNS Google GCM Amazon ADM Windows WNS and MPNS Baidu CP With Amazon SNS, developers can send push notifications on multiple platforms and reach mobile users around the world Android Phones and Tablets Apple iPhones and iPads Kindle Fire Devices Android Phones and Tablets in China Windows Desktop and Phones SNS application targets Your application  back-end

69. v •  Goals: •  Application automatically registers with Google Cloud Messaging (GCM) •  The device registration Id is then sent to SNS to register as a device endpoint •  The application then subscribes that device endpoint to a well-known SNS topic This topic is shared by all other devices using the application •  The application then confirms SNS Push Notifications are working by sending a message to itself via SNS. The user sees a pop-up message. •  Later, whenever a message is sent to the shared SNS Topic, all devices subscribed receive a pop-up notification Next App: SNS Push Notification App

70. v Mobile App Next App: SNS Push Notification App SNS Topic SNS Application ENDPOINT APP TOPIC Cognito Create Platform Endpoint Subscribe to topic Publish test message to our Endpoint Push notification from GCM SNS

71. v Setup Amazon SNS

72. v On the SNS Dashboard, create a new Topic

73. v On the SNS Dashboard, create a new Topic

74. v Note the Topic’s ARN We will need this in our code to subscribe the device to the topic so we can receive notifications On the SNS Dashboard, create a new Topic

75. v Create a Google API Project and obtain the Google Project ID

76. v Enable GCM for Android

77. v Create the Server API Key

78. v Obtain the Server API Key from Google

79. v On the SNS Dashboard, create a new App

80. v Specify the API Key you got from Google

81. v Note the ARN for this SNS Application

83. v Instantiate Cognito Credentials Provider Give Cognito your details •  Account Id •  Identity Pool ARN •  UnAuthenticated access Role ARN •  Authenticated access Role ARN •  The Region you are running Cognito in

84. v Again, this ‘Cognito’ class is just my convenience wrapper implemented as a Singleton Instantiate SNS using Credentials from Cognito

85. v Get the device registration ID from GCM We’re requesting the device identifier/token for this unique device, against the Google Project Id we created earlier

86. v And register this device with the SNS App The ‘deviceIdentifier’ is the device token returned from GCM for this unique device

87. v Finally, subscribe the endpoint to the Topic The endpoint is the ARN you got back from the previous call to getEndpointArn()

88. v Demo App At startup, we register this device with the SNS Application Then we subscribe this device Endpoint to the global SNS Topic We then send a test message from the device to ourselves to confirm the round trip is working If we subsequently publish to the global SNS Topic, all devices subscribed will be notified

90. v How did we initiate the sending of the Push Notification to the global SNS Topic? But wait!

91. v Demo web page to send Push Notifications Plain old Javascript and HTML! The website is a standard HTML site with Javascript. It is being served from S3, so no back-end servers The magic comes from the AWS Javascript SDK

92. v Demo web page to send Push Notifications Topic ARN This is the topic we subscribed our application to when it started up Cognito Role This is the IAM role we want to use – we’re using the unauthenticated ‘guest’ role in this demo Cognito Identity Pool ID This is the specific Cognito pool we want to use for authentication

93. v Demo web page to send Push Notifications

94. v Demo web page to send Push Notifications

96. v Amazon Cognito Sharing data between devices

97. v •  Goals: •  User is authenticated with Facebook •  Each time they modify gadgets in the app, the state of the gadgets is synchronized with all other devices using the application (for that user account) •  Verify these shared data changes in a companion web page, where the user is also authenticated with Facebook, and is the same user principal Next App: Shared application data

98. v Add a Web application to FB

99. v Add a Web application to FB S3 bucket name We’re using S3 to serve the web site in this example, but you can use CloudFront, or EC2, or use a CNAME

100. v Javascript code to read Cognito Sync Data Instantiate the CognitoSync object It will inherit the Cognito credentials from those we obtained earlier from our call to CognitoIdentityCredentials()

101. v Javascript code to read Cognito Sync Data Specify our parameters We need to specify the DatasetName that we want to connect to, and the Cognito Identity information as shown

102. v Javascript code to read Cognito Sync Data Call CognitoSync::listRecords() …and provide our params and a callback

103. v Javascript code to read Cognito Sync Data OnSuccess() …iterate the results and do something interesting with the data records

104. v Demo App Web Page The web page has access to the shared data when authenticated as the Facebook User Mobile application …and the mobile application has access to the same shared data if the user is logged on to Facebook as the same user

106. v We covered a lot of ground in this deep-dive session!

107. v Amazon Cognito Amazon SNS Mobile Push DynamoDB Connector S3 Connector SQS Connector User identity & data synchronization service Store any NoSQL data and also map mobile OS specific objects to DynamoDB tables Powerful Cross-platform Push notification service Easily upload, download to S3 and also pause, resume, and cancel these operations Access distributed buffering and queuing service AWS Mobile Services

108. v Amazon S3 Amazon Elastic Transcode Service Amazon CloudFront Amazon Elastic Beanstalk Amazon Identity and Access Management Online file storage web service Content Delivery Network (CDN) Highly scalable, media transcoding in the cloud Platform as a Service (PaaS) Securely control access to AWS services and resources for your users AWS Services & Features

109. v Fully integrated AWS mobile SDK Cross-platform, optimized for mobile Automatically handles intermittent and latent network AWS Mobile SDK Reduced memory footprint Common authentication method across all services

110. Online Labs | Training Gain confidence and hands-‐on experience with AWS. Watch free Instruc;onal Videos and explore Self-‐ Paced Labs Instructor Led Classes Learn how to design, deploy and operate highly available, cost-‐effec;ve and secure applica;ons on AWS in courses led by qualified AWS instructors Validate your technical exper;se with AWS and use prac;ce exams to help you prepare for AWS Cer;fica;on AWS Cer9fica9on h<p://aws.amazon.com/training

111. v Thank You