Aws IOT core for Android devices

Question

We are looking to use AWS IOT core for device management of our android devices . Our devices already have our custom app installed on them and our plan was to leverage the app to provision the device. So we decided to bundle a common certificate and start up script (code) in the app . The script will be invoked on device start up and this will provision our devices by connecting to iot core. 
Can you advice us if this will work because 
1) We will use a common certificate for all devices . If we are using fleet provisioning then my understanding is that aws iot core will install the unique certificates on the device during first connection . In our case , the certificates are installed on the app . So will it be possible for us to use fleet provisioning ? 
2) Do we have to use unique certificates for each device while provisioning ? 
3) Can we use BKS (bouncy castle keystore) instead of X509 certs?

Accepted Answer

Hi Smr. In general, it's more common for mobile apps to use [Cognito identities](https://docs.aws.amazon.com/iot/latest/developerguide/cognito-identities.html) than X.509 certificates. And to use our [mobile SDK](https://docs.amplify.aws/sdk/pubsub/getting-started/q/platform/android/) or [Amplify](https://docs.amplify.aws/lib/pubsub/getting-started/q/platform/js/) to publish and subscribe to AWS IoT Core.

Nonetheless, fleet provisioning is available in two forms: [Fleet provisioning by claim](https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html) and [fleet provisioning by trusted user](https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html#trusted-user).

Fleet provisioning relies on a common certificate. The "claim certificate". This is a close fit to what you described.

Fleet provisioning by trusted user dynamically generates a time-limited claim certificate after the user logs in. This is more secure than distributing a claim certificate with an app, and mobile apps would typically require a user to create an account and to login as part of setup anyway. Thus fleet provisioning by trusted user would typically be a better fit for a mobile app.

To use fleet provisioning, your app/device needs to implement the [Device provisioning API](https://docs.aws.amazon.com/iot/latest/developerguide/fleet-provision-api.html). Some of our SDKs [implement part of this](https://github.com/aws/aws-iot-device-sdk-java-v2/tree/main/samples#fleet-provisioning), but where you store the unique device certificate on your device is up to you.

Blog: https://aws.amazon.com/blogs/iot/how-to-automate-onboarding-of-iot-devices-to-aws-iot-core-at-scale-with-fleet-provisioning/

Whitepaper (see pages 15-19): https://d1.awsstatic.com/whitepapers/device-manufacturing-provisioning.pdf

Aws IOT core for Android devices

Relevant content