Starting/Stopping an AWS workload from an Android App

Goal: to control (be able to Start and Stop) an AWS workload from an Android App. Workload is a EC2 instance in AWS (web server, Minecraft server, etc.).

Process flow: App > API gateway > Lambda Function

Lessons learned:

Setting up Android apps, EC2 instances, API gateways, Lambda Function

Highlights: (Android App)

Kotlin is the new default language used in Android Studio, and recommended for new apps There is a built in Library called Jetpack Compose used to facilitate building Graphical user interfaces in the app values minSdk and targetSdk are very important as they impact what features (similar to DirectX version) the compiled application will support (used in this project minSdk and targetSdk 26). For example, Jetpack Compose is not supported in older Android versions. using API keys hardcoded in the application is insecure because: APK Files Can Be Decompiled. Android apps are distributed as .apk files. APKs can be reverse-engineered using tools like apktool, JADX, or dex2jar to convert the app back into readable source code (Java or Kotlin).

2. No Real Obfuscation of Secrets:

Even if code is obfuscated (e.g., using ProGuard or R8), strings like API keys are often still recoverable because they need to be stored in plaintext at runtime.

3. Static Analysis Tools:

Attackers can use tools to scan APKs for patterns (like API_KEY, token, etc.) and extract keys automatically.

4. Runtime Memory Inspection:

Keys can also be sniffed from memory using tools like Frida or Xposed if the attacker can run the app in a controlled environment.