Mobile Application Development

Building Mobile and Web Apps using the AWS Mobile and Javascript SDKs Parijat Mishra | Solutions Architect | Amazon Web Services parijat@amazon.com

In this session, we’ll be creating Android apps to demonstrate various features of AWS

How do we build mobile apps today?

Authenticate users

Authorize access

Analyze User Behavior

Store and share media

Synchronize data

Deliver media

Store shared data

Stream real-time data Track Retention

Send push notifications

Manage users and identity providers

Securely access cloud resources

Sync user prefs across devices

Track active users, engagement

Manage funnels, Campaign performances

Store user-generated photos Media and share them

Automatically detect mobile devices Deliver content quickly globally

Bring users back to your app by sending messages reliably

Store and query fast NoSQL data across users and devices

Collect real-time clickstream logs and take actions quickly

Your Mobile

Your mobile application

Introducing AWS Mobile Services

Amazon Cognito Amazon Mobile Analytics Amazon SNS Mobile Push

Kinesis Connector DynamoDB Connector S3 Connector SQS Connector SES Connector

AWS Global Infrastructure (11 Regions, 28 Availability Zones, 52 Edge Locations)

Core Building Block Services

Mobile Optimized Connectors

Mobile Optimized Services

Your Mobile App, Game or Device App

AWS Mobile SDK, API Endpoints, Management Console

Compute Storage Networking Analytics Databases

Integrated SDK

v Fully integrated AWS mobile SDK

Cross-platform,

optimized for mobile

Automatically handles intermittent and latent

network

AWS Mobile SDK

Reduced memory footprint Common authentication method across all services

Authenticate users

Authorize access

Synchronize data

Deliver media

Store shared data

Manage users and identity providers

Securely access cloud resources

Sync user prefs across devices

Track active users, engagement

Manage funnels, Campaign performances

Store user-generated photos Media and share them

Automatically detect mobile devices Deliver content quickly globally

Bring users back to your app by sending messages reliably

Store and query fast NoSQL data across users and devices

Collect real-time clickstream logs and take actions quickly

Your Mobile

Authenticate users

Authorize access

Synchronize data

Deliver media

Store shared data

Amazon Cognito (Identity broker)

AWS Identity and Access Management

Amazon Cognito (Sync)

Amazon Mobile Analytics

Amazon S3 Transfer Manager

Amazon CloudFront (Device Detection)

Amazon SNS Mobile Push

Amazon DynamoDB (Object Mapper)

Amazon Kinesis (Recorder)

with the AWS Mobile SDK

v Let’s build a Media App!

What should it do?

Our Media App’s wish-list of features q  Upload & Download media files to/from S3 buckets

q  Grant anonymous but secure access to AWS resources in our account

q  Grant authenticated access for users that log in via Public Identity Providers

q  Send push notifications to mobile devices

q  Store the media library inventory in the cloud so it can be queried by many users

q  Provide partitioned access to the media library based on Public and Private views

q  Synchronise user data across devices

q  Make all this available across devices (iOS, Android, Kindle) and web

•  Goals: •  User is anonymous – we don’t care who they are, treat them as ‘Public’ or ‘Guest’

•  Directly access AWS Simple Storage Service (S3) from the mobile application

•  We do not want to upload to a server and then have the server push the file to S3…

•  Requirements: •  We need to authenticate the application on the mobile device

•  We do not want to bake the AWS credentials in our mobile app!

•  Even though users are anonymous, we still want to control access to AWS

First App: Basic Download/Upload App

Mobile App

S3 Bucket with test media

Cognito Identity

First App: Basic Download/Upload App

Amazon Cognito

Granting ‘guest’ access to our ‘Public’ users for controlled access to AWS resources

Cognito Identity Example Cognito Identity for Guests Cognito assigns a unique identifier for each device when a user is not logged on

Cognito Identity for Authenticated Users Cognito assigns a unique identifier for each user when they are authenticated. This will be the same identifier for this user regardless of which device they use

Cognito setup

Create a new Cognito Identity Pool

Supplying public identity providers is optional For this demo, we will not be supporting public identity providers, so we leave them empty

Enable guest access For this demo, we will allow ‘anonymous access’ so that unauthenticated users can upload and download from our S3 bucket

Create IAM Roles Create IAM roles for this Cognito Identity Pool. We will assign tight security controls to these roles later

And assign a role for unauthenticated access

Starter code samples Cognito conveniently provides starter code for you for Android, iOS and .Net! This is an example of how you can easily connect your app to Cognito

Setup the required permissions in IAM

Note the default policy

Default policy created by Cognito By default, access to Cognito Sync and Mobile Analytics is permitted. This policy has been generated by the Cognito Create Identity Pool wizard

Media in our S3 bucket S3 Bucket contents Test file that we will be downloading via the TransferManager S3 connector

S3 Bucket ACLs Note that the ACLs on the bucket do not permit ‘Public’ so the asset is not world-accessible

Media in our S3 bucket

Let’s give the anonymous ‘guest’ access to our S3 bucket for read and write

Use the Policy Generator We’ll create our specific S3-related policy using the Policy Generator

Specify our bucket Our policy will specify access for our specific bucket. We’ll allow GetObject and PutObject

Resulting Policy Document Here’s what the resulting policy looks like for allowing READ access to any object in the specific bucket, and the ability to WRITE any object

We’re now set up – let’s start coding!

Instantiate Cognito Credentials Provider

Give Cognito your details •  Account Id

•  Identity Pool ARN

•  UnAuthenticated access Role ARN

•  Authenticated access Role ARN

•  The Region you are running Cognito in

Implementation Note! This ‘Cognito’ class is just my convenience wrapper! I have chosen to implement this as a Singleton at App-scope

Your implementation may be different The only important thing is that you instantiate a CognitoCachingCredentialsProvider

S3 Connector

•  Multipart upload media (photos, videos, audio)

•  Fault tolerant download (e.g. assets)

•  No backend required

•  Automatic retries

•  Pause, resume, cancel functions

•  Optimized for native OS

Amazon S3 Connector: Transfer Manager

Pass Cognito Credentials to the AWS S3 Transfer Manager constructor

Pass the Cognito Provider to the TransferManager S3 connector to construct based on the Cognito-acquired AWS credentials

Set up the download request and go!

Initiate the download

Demo App

First, the Application instantiates a CognitoCachingCredentialsProvider()

Then initiates a download, followed by an upload

q  Convert uploaded video files to various mobile/web formats

Amazon Cognito

Now let’s authenticate our users via public identity providers

•  Goals: •  User can be anonymous or they can choose to sign-in via Facebook

•  If they are anonymous, we let them see a ‘Public’ view of the media library

•  If they choose to sign-in, we let them see their own ‘Private’ view of the library

•  Requirements: •  We will use Cognito to help with the Public and Private authentication

•  Again, no AWS credentials in our mobile app!

•  We want to enforce Fine-Grained Access Control on the database views

Implement Public & Private views

User ID (Temp

Credentials)

DynamoDB

End Users

Developer

App w/SDK Access

to AWS Services

Cognito Identity Broker

Login OAUTH/OpenID Access Token

Cognito ID, Temp

Credentials

Mobile Analytics

Cognito Sync Store

AWS Management

Console

Access Token Pool ID

Role ARNs

Amazon Cognito Security Architecture

Raw DynamoDB records example

Range Key Each OwnerId has multiple Filenames

Hash Key Each OwnerId identifies a user by their Cognito identity, or ‘public’ if they didn’t log on to Facebook

Inventory is partitioned based on the OwnerId ‘public’ is accessible to the ‘guest’ Cognito Identity Anything else must match the identity of the user accessing the application

Assigned by Cognito automatically

Use the DynamoDB Mapper

Use the DynamoDB Mapper annotations to decorate your value object Specify the HashKey, RangeKey and the individual Attributes in your value object that should map to columns in the DynamoDB table

For this demo, we’ll use Facebook as our Public Identity Provider

Mobile App

DynamoDB

Implement Public & Private views

OAUTH/OpenID Access Token

Cognito Identity Broker

Cognito ID, Temp

Credentials

Query for results filtered by OwnerId

•  Great how-to https://developers.facebook.com/docs/android/getting-started

Using Facebook in your App

Create an App on Facebook

Cognito needs the App ID The App ID from Facebook is what binds the Identity Pool to the Facebook application

Configure Cognito to use Facebook

Add an Android application to FB

Generate your signing hash from your development environment – check the documentation…

Secure access to DynamoDB

Simply instantiate the AmazonDynamoDBClient and specify your Cognito provider as the credential provider in the constructor

Querying the DynamoDB table from code

Querying the DynamoDB table is simple! The DynamoDB Mapper will map the columns in the table to the fields in your value object and return a typed list of records ready to iterate

Demo App

Guest access

•  Connects to Cognito as anonymous user

•  Gets AWS token and uses that to instantiate a DynamoDB client

•  Queries DynamoDB using the key ‘public’

Authenticated access

•  Gets token from Facebook

•  Passes token to Cognito

•  Impersonates authenticated user

•  Queries DynamoDB using the key that matches the Cognito Identity of this user

Inventory is partitioned based on the OwnerId ‘public’ is accessible to the ‘guest’ Cognito Identity Anything else must match the identity of the user accessing the application

FGAC on DynamoDB using IAM Fine-Grained Access Control (FGAC)

•  Restrict which Actions can be called by the user

•  Restrict which DynamoDB Tables can be accessed by the user

•  Restrict which rows in the table are accessible by the user

•  Control which fields are accessible in the query results

FGAC on DynamoDB using IAM

Control the actions the user can invoke

The “Unauthenticated” Role Policy

Control the DynamoDB Table the user can access

Restrict the Rows in the DynamoDB table the user can access

Use the Cognito Id for this user to restrict the rows that will be accessible to the user

The “Authenticated” Role Policy

Amazon SNS

Push Notifications

v Each platform works differently, and push gets even more complex as you scale to support millions of devices.

Cloud App

Platform Services Mobile Apps

SNS application targets

Amazon SNS Cross-platform

Mobile Push

Apple APNS

Google GCM

Amazon ADM

Windows WNS and MPNS

Baidu CP

With Amazon SNS, developers can send push notifications on multiple platforms and reach mobile users around the world

Android Phones and Tablets

Apple iPhones and iPads

Kindle Fire Devices

Android Phones and Tablets in China

Windows Desktop and Phones

SNS application targets

Your applicationback-end

•  Goals: •  Application automatically registers with Google Cloud Messaging (GCM)

•  The device registration Id is then sent to SNS to register as a device endpoint

•  The application then subscribes that device endpoint to a well-known SNS topic

This topic is shared by all other devices using the application

•  The application then confirms SNS Push Notifications are working by sending

a message to itself via SNS. The user sees a pop-up message.

•  Later, whenever a message is sent to the shared SNS Topic,

all devices subscribed receive a pop-up notification

Next App: SNS Push Notification App

Mobile App

Next App: SNS Push Notification App

SNS Topic

SNS Application

ENDPOINT APP

Cognito

Create Platform Endpoint

Subscribe to topic

Publish test message to our

Endpoint

Push notification from GCM

Setup Amazon SNS

On the SNS Dashboard, create a new Topic

Note the Topic’s ARN We will need this in our code to subscribe the device to the topic so we can receive notifications

On the SNS Dashboard, create a new Topic

Create a Google API Project and obtain the Google Project ID

Enable GCM for Android

Create the Server API Key

Obtain the Server API Key from Google

On the SNS Dashboard, create a new App

Specify the API Key you got from Google

Note the ARN for this SNS Application

Instantiate Cognito Credentials Provider

Give Cognito your details •  Account Id

•  Identity Pool ARN

•  UnAuthenticated access Role ARN

•  Authenticated access Role ARN

•  The Region you are running Cognito in

Again, this ‘Cognito’ class is just my convenience wrapper implemented as a Singleton

Instantiate SNS using Credentials from Cognito

Get the device registration ID from GCM

We’re requesting the device identifier/token for this unique device, against the Google Project Id we created earlier

And register this device with the SNS App

The ‘deviceIdentifier’ is the device token returned from GCM for this unique device

Finally, subscribe the endpoint to the Topic

The endpoint is the ARN you got back from the previous call to getEndpointArn()

Demo App

At startup, we register this device with the SNS Application

Then we subscribe this device Endpoint to the global SNS Topic

We then send a test message from the device to ourselves to confirm the round trip is working

If we subsequently publish to the global SNS Topic, all devices subscribed will be notified

How did we initiate the sending of the Push Notification to the

global SNS Topic?

But wait!

Demo web page to send Push Notifications

Plain old Javascript and HTML! The website is a standard HTML site with Javascript. It is being served from S3, so no back-end servers The magic comes from the AWS Javascript SDK

Topic ARN This is the topic we subscribed our application to when it started up

Cognito Role This is the IAM role we want to use – we’re using the unauthenticated ‘guest’ role in this demo

Cognito Identity Pool ID This is the specific Cognito pool we want to use for authentication

Amazon Cognito

Sharing data between devices

v •  Goals:

•  User is authenticated with Facebook

•  Each time they modify gadgets in the app, the state of the gadgets is synchronized with all other devices using the application (for that user account)

•  Verify these shared data changes in a companion web page, where the user is also authenticated with Facebook, and is the same user principal

Next App: Shared application data

Add a Web application to FB

S3 bucket name We’re using S3 to serve the web site in this example, but you can use CloudFront, or EC2, or use a CNAME

Javascript code to read Cognito Sync Data

Instantiate the CognitoSync object It will inherit the Cognito credentials from those we obtained earlier from our call to CognitoIdentityCredentials()

Specify our parameters We need to specify the DatasetName that we want to connect to, and the Cognito Identity information as shown

Call CognitoSync::listRecords() …and provide our params and a callback

OnSuccess() …iterate the results and do something interesting with the data records

Demo App Web Page The web page has access to the shared data when authenticated as the Facebook User

Mobile application

…and the mobile application has access to

the same shared data if the user is logged on to Facebook as the same

We covered a lot of ground in this deep-dive session!

v Amazon Cognito

Amazon SNS Mobile Push

DynamoDB Connector

S3 Connector

SQS Connector

User identity & data synchronization service

Store any NoSQL data and also map mobile OS specific objects to DynamoDB tables

Powerful Cross-platform Push notification service

Easily upload, download to S3 and also pause, resume, and cancel these operations

Access distributed buffering and queuing service

AWS Mobile Services

v Amazon S3

Amazon Elastic Transcode Service

Amazon CloudFront

Amazon Elastic Beanstalk

Amazon Identity and Access Management

Online file storage web service

Content Delivery Network (CDN)

Highly scalable, media transcoding in the cloud

Platform as a Service (PaaS)

Securely control access to AWS services and resources for your users

AWS Services & Features

v Fully integrated AWS mobile SDK

Cross-platform,

optimized for mobile

Automatically handles intermittent and latent

network

AWS Mobile SDK

Reduced memory footprint Common authentication method across all services

Online Labs | Training

Gain confidence and hands-‐on experience with AWS. Watch free

Instruc;onal Videos and explore Self-‐Paced Labs

Instructor Led Classes

Learn how to design, deploy and operate highly available, cost-‐effec;ve and

secure applica;ons on AWS in courses led by qualified AWS instructors

Validate your technical exper;se with AWS and use prac;ce exams

to help you prepare for AWS Cer;fica;on

AWS Cer9fica9on

h<p://aws.amazon.com/training

Thank You

Mobile Application Development

Documents

Transcript of Mobile Application Development

Mobile Application Development with ANDROID Mobile Application Development with ANDROID d.

Hire Mobile Application Developers,Mobile App Development,Mobile Application Developers

Mobile Application Development

Introducing Mobile Application Development for Androidegjug.org/files/Introducing Mobile Application Development for... · Introducing Mobile Application Development for Android Presented

Iphone apps, mobile apps, iphone application development, mobile application development

Mobile Application Development