Amazon DevPay
Developer Guide (API Version 2007-12-01)

Appendix: Risks to DevPay Products


Amazon DevPay is not accepting new seller accounts at this time. Please see AWS Marketplace for information on selling your applications on Amazon Web Services.

All Internet-based products are subject to risk. This appendix outlines several possible threats to Amazon S3 DevPay products (they're not applicable to paid or supported AMIs). Keep these in mind when designing your product.

Malicious User Impersonates a Desktop Product

Who experiences the risk: You

A malicious user who understands how DevPay works signs up to use your DevPay desktop product. The user then extracts the product token from the product and uses the token with another product. You become liable for the charges incurred by the other product.

You should design your desktop product to guard your product token.

Malicious User Steals a Customer's Credentials

Who experiences the risk: Your customer

A malicious user steals customer credentials from an insecure desktop or database and impersonates the customer. The customer is then billed for the malicious user’s use of the product.

You should harden or obfuscate all stored credentials. Encourage your customers to closely monitor their bills and usage.

Malicious User Re-Signs Requests

Who experiences the risk: You

This is a classic "man-in-the-middle" attack. A malicious user who understands how DevPay works doesn’t want to pay the prices required by a DevPay product. He signs up for his own AWS developer account and signs up to use the AWS service your DevPay product uses. He inserts a man in the middle attack, whereby he removes the DevPay product token from the request, inserts his own AWS developer credentials, and re-signs the request. He receives your product’s functionality at the normal AWS service price (instead of the higher price charged by you), and you receive no revenue for his use of your product.