This content is part of the Essential Guide: AWS re:Invent 2015: A guide to Amazon's sold-out event

AWS Cognito makes a mark in mobile app development

Amazon Web Services is building a growing arsenal of mobile services. AWS Cognito is one of them, providing consistent app performance across all devices.

Developing applications can be a major challenge in the post-PC era -- where an average person uses at least three...

mobile devices. Users expect to have consistent access and views to data from each device, but synchronizing same user identities, application settings and data across all devices is difficult. Add to that the fact that each device likely is running a different OS, and this multiplies the work for developers.

The salvation is constant connectivity that allows apps to almost always rely on back-end services. This makes the cloud a natural spot to unify the user experience. Mobile devices, in particular, are prime candidates for cloud back ends given their limited local storage and -- until recently -- CPU resources.

Amazon Web Services (AWS) recognized the opportunity in mobile backend as a service and has gradually built a compelling portfolio of mobile services that includes remote compute from AWS Lambda, push notifications with Simple Notification Service, database and storage from products like DynamoDB and Simple Storage Service, API management through the API Gateway, data streaming with Kinesis, Mobile Analytics and user identity and data synchronization via AWS Cognito.

One of the mobile app development tools available, AWS Cognito, is arguably the lynchpin to all of these mobile services, as identity and state management are critical to provide a consistent app experience across platforms.

Identity and credentials management

Managing credentials on mobile devices is difficult because, unlike a PC or server, the OS doesn't support local user accounts. Even native OS features like backup and find my phone applications rely on a cloud login and back-end services. Some apps eschew cloud authentication and embed credentials within the executable risk exposure via disassemblers, such as Hopper on Linux and iOS and the APK Studio for Android. But the rise of federated identity protocols, such as OpenID and OAuth, as well as wide-scale adoption by major services like Facebook, Google and Twitter mean that most users already have online credentials for application authentication and data access. These are credentials that AWS Cognito can exploit.

Cognito provides a key-based system for authenticating users and sharing credentials over a secure back end, eliminating the need for embedded API tokens. AWS Cognito issues public and private keys for each user and establishes a secure transmission channel to the back-end service. Credentials expire after a short time, meaning that even if a malicious attacker grabs the keys, they won't be usable for very long. Credentials have limited access rights as defined by the identity pool in the Cognito management console. Furthermore, permissions granted to unauthenticated guests can be different than those given to authenticated users.

The foundation of Cognito is user identity management, including user authentication and secure credential management -- getting end users onto a device, limiting their lifetimes and enforcing key rotation -- as well as security enablement -- linking credentials to policies that control user access to online resources.

AWS Cognito follows a hierarchical model for user identity. The apex is the AWS developer account that provides access to Cognito and other AWS products. Within the Cognito service, the next layer is an identity pool, essentially a list of applications, each with their own ID and credentials. Within the identity pool is a set of individual identities for user and device accounts. Each of those identities can then have zero or more logins associated with it. Users with no logins are granted guest privileges, but why would a user have more than one login?

In addition to using different devices, some people have multiple identities with popular online platforms. Why make them create another login just to access your app?

If an app supports multiple identity providers, such as Google, Facebook or Amazon, AWS Cognito can bind these into a single identity; this means a user can authenticate with any one of them and see the same account and data. Besides brokering identities, AWS Cognito allows apps to do their own authentication. Developers can register and authenticate users via an existing authentication process, while using Cognito to synchronize user data and access AWS resources. Cognito authentication is a multistep process that results with a secure token on the device.

AWS Cognito syncs data across mobile devices

Data synchronization is another major feature of Cognito, with a service and client APIs that synchronize user data across mobile devices and Web apps. Like most cloud file-and-sync services, AWS Cognito locally caches data if a device is temporarily offline and automatically synchronizing with the AWS back end when a connection is re-established.

Cognito saves end users data in key-value pairs with apps by always writing to the local cache; the service then replicates this to a master back-end database. Synchronized data sets are capped at 1 MB, but each user identity can be associated with up to 20 data sets. Synchronization can be initiated via an API call or automatic push, which notifies every instance whenever data changes.

In the case of conflicts, the last write wins. AWS Cognito first reads changes from the cloud database and then writes local changes to the cloud, but the default behavior can be overridden with custom code.

Getting to work with Cognito

AWS Cognito is configured through the AWS Management Console. Administrators can create an identity pool, roles for authenticated and unauthenticated users and configure authentication providers. The management page also includes links to the AWS SDK and sample code for Android, iOS, JavaScript, .Net and others.


In sum, Cognito provides secure identity management and data synchronization that gives users a consistent profile and view of data across all devices and logins. It works with many existing authentication systems and includes sample code for major mobile platforms and Web applications.

Next Steps

Amazon Cognito offers back-end support in multidevice world

AWS logging tools provide extra security

AWS mobile development tools hold steady lead

AWS expands its capabilities for mobile developers with Amazon Cognito

Dig Deeper on AWS tools for development