Should I expose Identity pool ID in my android app's source code?

[RebelEternal]

State your question I have read from SDK fundamentals that Never embed credentials in an Android application. It is trivially easy to decompile applications and steal embedded credentials. Always use temporarily vended credentials from services such as Amazon Cognito Identity. I am using aws rekognition's face liveness and compare face apis. I have hardcoded the identity pool id in my app's source code as described in the code? Now I am confused about whether Amazon Cognito Identity and identity pool id are same thing or different. Kindly answer.

Which AWS Services are you utilizing? AWS Rekognition

Provide code snippets (if applicable) CognitoCachingCredentialsProvider credentialsProvider; AmazonRekognitionClient rekognitionClient; credentialsProvider = new CognitoCachingCredentialsProvider( getApplicationContext(), "identity_pool_id", // Identity pool ID Regions.AP_SOUTH_1 // Region );

Environment(please complete the following information):

• implementation 'com.amplifyframework:aws-auth-cognito:2.14.10'
• implementation 'com.amazonaws:aws-android-sdk-rekognition:2.75.0'

Device Information (please complete the following information):

• Device: Android devices
• Android Version: 8 and higher
• Specific to simulators:

If you need help with understanding how to implement something in particular then we suggest that you first look into our developer guide. You can also simplify your process of creating an application, as well as the associated backend setup by using the Amplify CLI.

[tylerjroach]

The AWSCredentials vented from Cognito Identiy service are sensitive. The Cognito Identity Pool Id is not. In fact, we embed it on our awsconfiguration.json file that is used by apps consuming the aws android sdk.

I am a bit confused as to why you are attempting to do use the aws-android-sdk-rekognition library for FaceLiveness APIs. Are you attempting to use The FaceLivenessDetector (https://ui.docs.amplify.aws/android/connected-components/liveness) in your application?

It is best not to mix Amplify and the AWS Android SDK together. When possible, you should use Amplify and the AWS Kotlin SDK together.

[RebelEternal]

Thanks Tyler for commenting. Actually I am using the below code snippet to create a face liveness session.

CreateFaceLivenessSessionRequest request = new CreateFaceLivenessSessionRequest().withSettings(new CreateFaceLivenessSessionRequestSettings().withAuditImagesLimit(audit_image_limit)); CreateFaceLivenessSessionResult result = rekognitionClient.createFaceLivenessSession(request);

And for creating that session I am using rekognitionClient which has been initialized as

` credentialsProvider = new CognitoCachingCredentialsProvider( getApplicationContext(), "identity_pool_id", // Identity pool ID Regions.AP_SOUTH_1 // Region );

    rekognitionClient = new AmazonRekognitionClient(credentialsProvider, clientConfiguration);
    rekognitionClient.setRegion(Region.getRegion(Regions.AP_SOUTH_1));`

Am I doing something wrong? The application and face liveness just works fine in my android app.

And you have mentioned that Cognito Identity Pool Id is not a sensitive information. But what do you think of this comment someone made at stack overflow

But everyone is concerned about DDoS attacks & Fake registrations. Never thought about it but yes, these details can be used to enable authentication & signup in another app.

Anyways thank you so much...

[tylerjroach]

Glad to hear everything is working! Since you are creating your own credentials provider and not attempting to use AWSMobileClient, everything should work fine. Amplify v2 and AWS Android SDK only start conflicting with each other when MobileClient is used.