baker icon indicating copy to clipboard operation
baker copied to clipboard
verified publisher icon Simbul

Secure Access to Amazon S3

Open appsxt opened this issue 12 years ago • 6 comments

Hi and thanks to everyone who's contributed to this excellent framework.

I'm in the process of helping a small startup magazine publish to the Newsstand. I'm using a solution based on the Baker Framework and MagRocket. Since the magazine will include auto-renewable subscriptions, online security of magazines was a concern. Amazon S3 seems to be a perfect solution and is often discussed or recommended for this purpose. What is not discussed though is the question of how to access Amazon S3 Newsstand assets securely? i.e. the Amazon S3 bucket and objects are not shared to everyone.

Two options come to mind:

(a) Amazon S3 Pre-signed URLs (either short or long expiry)

With or without using the AWS iOS SDK these can be quite easily implemented in the Baker App, and work well for downloading shelf.json (not required with MagRocket) and cover art. They will not work for downloading magazines however, because an Amazon S3 Pre-signed URL would be valid for just a single REST verb (in this case a GET request) while the NKAssetDownload class requires both GET and HEAD requests (HEAD requests would thus fail on such Amazon S3 Pre-signed URLs authorised for GET, and the download fails). This issue has been discussed in related posts https://github.com/Simbul/baker/issues/752 and http://stackoverflow.com/questions/12582849/nsurlconnectiondownloaddelegate-expectedtotalbytes-zero-in-ios-6

(b) Implement the AmazonServiceRequestDelegate to replace NSURLConnectionDownloadDelegate

I've uploaded an updated BakerIssue class that implements this approach here https://gist.github.com/appsxt/6619881. It appears to work. The downside is that background downloads are no longer available, since I think these are only supported by NKAssetDownload that has here been replaced.

Would Apple accept such a solution?

Is there a better technique to support secure Amazon S3 downloads?

Any help, improvements or suggestions would be most appreciated.

Thanks,

Mike

appsxt avatar Sep 19 '13 07:09 appsxt

Personally I would just use MagRocket and turn on "Issue Security" which will basically obsfucate the endpoint to the HPUB content and act as an intermediary on downloding the asset.  Then you could do whatever you needed to do in the MagRocket API to retrieve whatever content you ultimately want.  You also don't have to change actual Baker code with that approach.

Andrew

From: appsxt [email protected] To: Simbul/baker [email protected] Sent: Thursday, September 19, 2013 2:12 AM Subject: [baker] Secure Access to Amazon S3 (#1141)

Hi and thanks to everyone who's contributed to this excellent framework. I'm in the process of helping a small startup magazine publish to the Newsstand. I'm using a solution based on the Baker Framework and MagRocket. Since the magazine will include auto-renewable subscriptions, online security of magazines was a concern. Amazon S3 seems to be a perfect solution and is often discussed or recommended for this purpose. What is not discussed though is the question of how to access Amazon S3 Newsstand assets securely? i.e. the Amazon S3 bucket and objects are not shared to everyone. Two options come to mind: (a) Amazon S3 Pre-signed URLs (either short or long expiry) With or without using the AWS iOS SDK these can be quite easily implemented in the Baker App, and work well for downloading shelf.json (not required with MagRocket) and cover art. They will not work for downloading magazines however, because an Amazon S3 Pre-signed URL would be valid for just a single REST verb (in this case a GET request) while the NKAssetDownload class requires both GET and HEAD requests (HEAD requests would thus fail on such Amazon S3 Pre-signed URLs authorised for GET, and the download fails). This issue has been discussed in related posts #752 and http://stackoverflow.com/questions/12582849/nsurlconnectiondownloaddelegate-expectedtotalbytes-zero-in-ios-6 (b) Implement the AmazonServiceRequestDelegate to replace NSURLConnectionDownloadDelegate I've uploaded an updated BakerIssue class that implements this approach here https://gist.github.com/appsxt/6619881. It appears to work. The downside is that background downloads are no longer available, since I think these are only supported by NKAssetDownload that has here been replaced. Would Apple accept such a solution? Is there a better technique to support secure Amazon S3 downloads? Any help, improvements or suggestions would be most appreciated. Thanks, Mike — Reply to this email directly or view it on GitHub.

nin9creative avatar Sep 19 '13 12:09 nin9creative

Thanks Andrew. Probably that's what I'll end up doing, since the project's deadline is drawing near and I think it's unlikely that Apple will approve a Newsstand App without background downloading functionality.

Ultimately though, I think it's still worth exploring if a secure connection to Amazon S3 hosted Newsstand assets could be established, without the assets being shared to everyone. It'd be more comforting for content developers to know that their assets are properly secured rather than just hidden.

Rather than hacking the Baker code, would it be worthwhile to explore whether the NSURLRequest could be replaced by an S3GetObjectRequest higher up the chain? eg. as a subclass of NKAssetDownload (not sure if that's the right place or technique).

Cheers,

Mike

appsxt avatar Sep 22 '13 04:09 appsxt

I would also suggest adding a password to the .zip (.hpub) file that only the Baker app knows how to unzip internally.

I have seen another developer customize his Baker based instance to do this.  That way even if someone could grab the HPUB, they wouldn't be able to unzip the contents.

Andrew

From: appsxt [email protected] To: Simbul/baker [email protected] Cc: Andrew [email protected] Sent: Saturday, September 21, 2013 11:35 PM Subject: Re: [baker] Secure Access to Amazon S3 (#1141)

Thanks Andrew. Probably that's what I'll end up doing, since the project's deadline is drawing near and I think it's unlikely that Apple will approve a Newsstand App without background downloading functionality. Ultimately though, I think it's still worth exploring if a secure connection to Amazon S3 hosted Newsstand assets could be established, without the assets being shared to everyone. It'd be more comforting for content developers to know that their assets are properly secured rather than just hidden. Rather than hacking the Baker code, would it be worthwhile to explore whether the NSURLRequest could be replaced by an S3GetObjectRequest higher up the chain? eg. as a subclass of NKAssetDownload (not sure if that's the right place or technique). Cheers, Mike — Reply to this email directly or view it on GitHub.

nin9creative avatar Sep 22 '13 13:09 nin9creative

Wow that seems complex! Is it easy for anyone to implement or do you really need to know your stuff to do this Andrew?

MaverickWar avatar Nov 14 '13 02:11 MaverickWar

In summary, this is how we ended up implementing a level of asset protection for this project:

  1. ZIP password encryption of the HPUB file
  2. Setting the Baker Cloud Console (CE) "Issue Security" to True
  3. Randomising the Amazon S3 bucket name

Adding a password to the HPUB file is quickly implemented and only requires changing one line in BakerIssue.m

unzipSuccessful = [SSZipArchive unzipFileAtPath:[destinationURL path] toDestination:destinationPath overwrite:YES password:ISSUES_ARCHIVE_PASSWORD error:nil];

with ISSUES_ARCHIVE_PASSWORD defined in Constants.h or elsewhere.

Cheers,

Mike

appsxt avatar Apr 17 '14 00:04 appsxt

Hello @appsxt,

This issue board isn't in use anymore, and it's left available for historic reasons.

Please refer to the new issue board for future comments and suggestions: https://github.com/BakerFramework/baker/issues

(btw, that's a clever solution :D).

folletto avatar Apr 17 '14 09:04 folletto