I am building an Android application that will send reports to a server. These

Question

0

Asked: May 27, 20262026-05-27T07:11:20+00:00 2026-05-27T07:11:20+00:00

I am building an Android application that will send reports to a server. These

0

I am building an Android application that will send reports to a server. These reports are plain JSON files stored on Amazon S3.
The Amazon user only has the PutObject permission on a specific S3 bucket.

The documentation states that we should use the Token Vending Machine mechanism instead of hardcoded keys within the application.

I cannot see the advantage of this method.
I get that a hacker could decompile my app to find the keys. But his only choice then is to send files to the bucket, nothing else (no file listing, no file retrieval).

If I use the anonymous TVM, the process is:

Get a token valid for 24 hours
Use this token to send files to the bucket

A hacker could also call the TVM server to request unlimited tokens and send files to my bucket. It does not seem to solve this problem.

What is the real advantage in using TVM?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-27T07:11:21+00:00

Editorial Team

2026-05-27T07:11:21+00:00Added an answer on May 27, 2026 at 7:11 am

You can attach different authorizations to each mobile UID, giving your finer control over what you allow people to access. You can also control how much AWS access the TVM has using policies. You can also stop it any given time. If they get your keys, you will have to disable the whole account. If you are OK with that, you probably don’t need to use the TVM.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am building an Android application that will send reports to a server. These

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply