Where to store SNS Platform Endpoint ARN when registering devices?



I have been implementing what should be a fairly straight-forward integration with SNS to send mobile push notifications.

However, I have found 2 different sources from the docs ^1 and and the blog ^2 that clearly state I have ignored some corner cases.

It may be tempting to just call CreatePlatformEndpoint every time at app startup and call it good. In practice this method doesn’t give a working endpoint in some corner cases, such as when an app was uninstalled and reinstalled on the same device and the endpoint for it already exists but is disabled.

Looking at the provided examples, AWS recommend storing the platform endpoint ARN bound to the current device, but as I understand it, this cannot be stored in the device itself, since a malicious user may alter it and thus be granted access to another user's platform endpoint.

Nor could I store it in Dynamo (or another database), indexed by the device token, which could be changed by FCM.

What would be the recommended way to store the platform endpoint? Should I encrypt it with KMS and still store it on the end user device? Or maybe storing it in plain text is not as bad as I believe? Or did I misunderstand something about the way the device token is updated?

asked a year ago491 views
1 Answer

Storing the platform endpoint ARN on the end user device is not recommended due to the potential security risks you mentioned. Encrypting the ARN with KMS and storing it on the device would add an extra layer of security, but it may still be vulnerable to attacks if the encryption key is compromised.

A better solution would be to store the platform endpoint ARN in a secure backend system like DynamoDB, indexed by a unique identifier for the user, such as a user ID. This way, the platform endpoint ARN can be retrieved and used to send push notifications without the need to store it on the end user device.

To handle the corner case where the app is uninstalled and reinstalled on the same device, you can use the SNS feature called "event feedback". When an app is uninstalled, SNS will receive an event feedback message from the platform (such as FCM or APNS) indicating that the endpoint is no longer valid. You can use this message to disable the endpoint and delete it from your backend system, and create a new endpoint when the app is reinstalled.

answered a year ago
  • I believe this answer was generated through GPT. Pasting my question into GPT produces this reply with very little difference. In addition, this user produced 13 replies in less than 1 hour yesterday. An average 4 minutes per answer. All of them in a very remarkable form that reminds me of ChatGPT.

    While I do see the value of such a tool - and in fact - I used it myself to do my research before coming to re:Post - I created this question hoping to get feedback from either experienced AWS users, who have first-hand experience with SNS, or maybe AWS engineers who worked on the service.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions