0

I'm looking at using AWS Pinpoint to send push notifications to my react native app. However it seems that unauthenticated users are able to update user attributes for any user they wish, ie there is no access control. I'm new to mobile development, but isn't putting stuff like that into the frontend a security issue? If it were a web application, people would be able to inspect network calls to obtain credentials and make any call they wish to updateEndpoint. Is this not applicable to mobile apps or am I misunderstanding something?

Details:

There's a step in the setup that says Edit the IAM policy document for unauthenticated identities to allow permissions for the mobiletargeting:PutEvents and mobiletargeting:UpdateEndpoint actions

And react native code snippet provided goes as follows:

import Analytics from '@aws-amplify/analytics';
import Auth from '@aws-amplify/auth';';

const amplifyConfig = {
  Auth: {
    identityPoolId: 'COGNITO_IDENTITY_POOL_ID',
    region: 'ap-south-1'
  }
}
//Initialize Amplify
Auth.configure(amplifyConfig);

const analyticsConfig = {
  AWSPinpoint: {
        // Amazon Pinpoint App Client ID
        appId: 'cd73a57d200e49e2bc4b97d6ebf63cd4',
        // Amazon service region
        region: 'ap-south-1',
        mandatorySignIn: false,
  }
}

Analytics.configure(analyticsConfig)

Analytics.updateEndpoint({
    attributes: {
        interests: ['science', 'politics', 'travel'],
        //..
    },
    userId: 'UserIdValue',
    userAttributes: {
        username: 'ilovethecloud'
    }
});
Nikhil Satish
  • 61
  • 3

1 Answers1

0

I'm not sure if this will help,

But you have 2 IAM policies (in Cognito Identity-pool), 1 for authenticated users and 1 for unauth. users.

You should restrict the IAM policy for unauth users, so they can't edit other users info.

Also, the credentials that you are given by Cognito, are temporal, they expire (and get renewed by your react-native app), so in that way you are safe.

Ivan Carcamo
  • 504
  • 4
  • 8