Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Some APIs should be accessed from your backend, not the app (eg the user can authorize you on Facebook without you sharing your API app secret).

The paper also says they found amazon tokens, with which you can spawn instances. I think you can use other kind of authentication that don't give access to the whole account.



What if you app doesn't have a backend? That's an honest question, I've been trying to come up with some way of using authe/autho keys on a fully client-side app (be it a mobile or desktop one) that is still secure; I can't think of a way to, as to communicate it requires the keys to be in memory, thus, vulnerable.

I dunno. I've wondered about all this myself quite a lot, perhaps its a non-issue?


Yes I don't know of any good solution for client side only applications. And it's a real issue I think. For instance if I have your key, it may be possible for me to access data, post on behalf, etc... of people who signed in with the service on your application


I think your only choice for doing this securely is to hide the keys behind your own server.


AWS keys should belong to IAM users who have constrained permissions to only perform the things you want them to perform.

If you're shipping root account AWS keys in any app, you're doing it wrong.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: