AWS for Industries

Connecting and Authenticating Automotive iOS App to AWS IoT Core

Introduction

Connecting car applications to the cloud for exchanging Internet of Things (IoT) data enables several benefits for automotive vehicles. Authenticating the connecting securely is crucial for enabling real-time diagnostics and predictive maintenance through continuous telemetry data sent to the cloud by original equipment manufacturer (OEM) for monitoring. An OEM’s ability to provide over-the-air updates for software, infotainment, and navigation services like maps helps ensure their vehicles stay updated without requiring visits to dealerships. Additionally, accessing real-time navigation data like traffic and parking from the cloud helps vehicle owners optimize routing and can provide a better driver experience. Therefore, having a secure mechanism to connect to the cloud for data exchange between the car application and the cloud is important for both vehicle owners and Automotive OEMs.

Overview

In this blog, we will showcase how to securely connect an iOS App to AWS IoT Core in order to send or receive data from IoT devices. Various methods are available to authenticate with AWS IoT such as using AWS Cognito user pools integrated with AWSMobileClient or X.509 certificates. However, as the application scales to accommodate numerous global users, these authentication mechanisms may become impractical. Cognito user pools involve per-user provisioning, potentially leading to scalability issues, while X.509 certificates present key distribution and rotation challenges at large scale. Therefore, alternative scalable authentication mechanisms need to be evaluated for global app deployments.

Traditionally, vehicle modules utilize Bluetooth Low Energy (BLE) to send telemetry data to the mobile app. From here there is a need to securely connect to cloud hyperscaler for telemetry data analysis. This can be achieved using AWS IoT SDK for iOS, which offers a set of libraries that help make it easy to interact with AWS IoT Core from iOS applications. This blog explains how to connect an iOS app to AWS IoT using the MQTT protocol over a WebSocket, without requiring users to generate unique X.509 certificates for each distribution of the app.

AWS IoT Core is a versatile and powerful service that is used by many of our automotive customers in the development and management of their IoT applications. AWS IoT Core offers several features to help automotive customers with: 1/ over-the-air firmware/software updates for vehicles using AWS IoT Jobs, 2/ data collection and analysis for and vehicle diagnostics and, 3/ authentication and authorization functionality, enabling customers to safeguard connected vehicles, applications, and their customers’ data. Amazon Cognito Identity Pools are designed to provide the capability for mobile and web applications to offer guest user access without requiring login to certain AWS resources, enabling limited access for non-authenticated users. Specifically, Cognito Identity Pools helps support guest access by allowing applications to obtain temporary AWS credentials with predefined permissions to access permitted resources, without requiring user authentication. This guest access, coupled with customer implemented controls like bot detection allows certain aspects of the application to be available to non-logged-in guests, while still restricting access to more sensitive data and functionality. Overall, the guest user access is an important feature of Identity Pools that helps balance application access and security.

Prerequisites

The following are the prerequisites for the authentication solution described in the following blog:

  • Working iOS Application
  • Basic knowledge of Amazon Cognito and AWS IoT Core.
  • User pool created from Amazon Cognito

Solution overview

Figure 1 – High level architecture for authenticating and connecting iOS app to AWS IoT ServicesFigure 1 – High level architecture for authenticating and connecting iOS app to AWS IoT Services

Walk-through

For the initial setup of Amazon Cognito user pools refer to the Create a new user pool document till step 7. Once you have the user pool created, you can follow the below steps to integrate the iOS application.

Step 1: Integrate your app to Amazon Cognito

1.1 User pool name (refer to Figure 2)

Reference the user pool that was created through setup guide. We will be using example-user-pool for this blog post.

Figure 2 Integrate the app to previously created user poolFigure 2: Integrate the app to previously created user pool

1.2 Hosted authentication pages (refer to Figure 3)

You can choose to use Cognito’s hosted UI and OAuth 2.0 server for user sign-up / sign-in flows. When this feature is enabled, a Domain pane will appear which allows you to configure a domain from your hosted UI and OAuth 2.0 endpoints.

In this scenario we will be using our own custom frontend UI therefore we will leave the checkbox deselected. This section is found under the user pool name text box refer to the below figure.

Figure 3 Hosted Authentication pagesFigure 3: Hosted Authentication pages

1.3 Initial app client (refer to Figure 4)

The OAuth 2.0 standard defines two client types: public and confidential clients. The best settings for your app client depend on the type of app you build. You can choose the default settings for a public or confidential client. You can also select Other and chose settings that meet your requirements. In our example, we will be utilizing a ‘Public’ client.

For App client name, we will be using example-app-client.

For Client secret, our application in this example will not be required to use Authorization, so we will keep the default Don’t generate a client secret option selected.

Figure 4 Initial app clientFigure 4: Initial app client

Once ready to proceed to the next deployment step, select Next.

Step 2: Review and create

Review your selections and when you confirm everything is correct (refer to Figure 5) select Create user pool at the bottom of the page.

Figure 5 Review; Create User pool

Figure 5: Review & Create User pool

Once created, you will be able to visualize your user pool within Amazon Cognito’s User pool page (refer to Figure 6).

Figure 6 User poolFigure 6: User pool

Note: Once the user pool is created save the ‘user pool ID’ and ‘app Client ID’ to be utilized in step 2 of the next section. Refer to this document to find the ID’s.

iOS Integration with AWS IoT

Our next step would be to integrate the iOS app with AWS IoT in order to send telemetry data, in our example we will be using AWS SDK for iOS using the Swift programming (v5.9.2) language in Xcode v15.1 to integrate with AWS IoT

Step 1: Install the AWS IoT module in your development IDE

Use CocoaPods or manually install the AWS IoT module to add the AWS IoT frameworks to your iOS project. This provides the client libraries for connecting to AWS IoT. Add the import statement to your function header:

Import AWSIoT

Step 2: Initialize AWS Credentials using Amazon Cognito Identity Pool and AWSIoTDataManager

1. Create an Identity Pool in AWS Cognito and obtain the pool ID.

a. In the Amazon Cognito console, choose Identity pools in the left panel, select Create identity pool.

b. Check the Authenticated access box.

c. Expand Authentication providers, choose the Cognito tab and click next.

d. Select Create a new IAM role. Note: You are creating an IAM role with initial minimum permissions and a trust relationship with your identity pool. After creating your identity pool, add permissions in the IAM console.

e. Enter the user pool ID and app client ID created in the previous steps.

f. In the Identity pool name insert the name testpool and click Next.

g. Select Create Identity Pool.

h. Select Edit identity pool. Make a note of the identity pool ID – e.g., us-east-1:xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx.

2. Use the CognitoCredentialsProvider class in AWS Mobile SDK to get AWS credentials from the identity pool.

let session = try await Amplify.Auth.fetchAuthSession()
if let identityProvider = session as? AuthCognitoIdentityProvider {
    let identityId = try identityProvider.getIdentityId().get()
    print("Identity ID: \(identityId)")
}

Step 3. Fetch a client ID to authenticate with AWS IoT

1. Generate a unique client ID string that will identify your client to AWS IoT.

2. This can be acquired via an AWSCredentialsProvider object using the object using the getIdentityId()method.

Step 4. Create an instance of AWSIoTDataManager using the credentials from the previous step. This manager handles the MQTT connection.

let iotEndPoint = AWSEndpoint(
urlString: "wss://xxxxxxxxxxxxx-ats.iot.<YOUR-AWS-REGION>.amazonaws.com/mqtt"
)

let iotDataConfiguration = AWSServiceConfiguration(
region: AWSRegionType.<YOUR-AWS-REGION>,
endpoint: iotEndPoint,
credentialsProvider: CredentialsProxy()
)

AWSIoTDataManager.register(with: iotDataConfiguration!, forKey: "MyAWSIoTDataManager")
let iotDataManager = AWSIoTDataManager(forKey: "MyAWSIoTDataManager")

Step 5. Establish an MQTT connection via a WebSocket to AWS IoT

1. Use the AWSIoTDataManager to create a WebSocket connection to the AWS IoT platform endpoint.

2. The endpoint depends on the AWS region you are using. For eg. xxxxxxxxxx-ats.iot.us-east-1.amazonaws.com

a. You can get the endpoint information from the IoT Core Console Settings page (refer to Figure 7).

Figure 7 Device Data Endpoint Location in IoT ConsoleFigure 7: Device Data Endpoint Location in IoT Console

To use publish and subscribe functionality with AWS IoT, you will need to create the necessary IAM policies in the AWS IoT Console, and attach them to your Amazon Cognito Identity. Refer to the below steps for the same:

a. To create the IoT policy go to IoT Core console and choose Secure from the left navigation pane, and then Policies from the dropdown menu. Next, click Create. The following myIOTPolicy policy will allow full access to all the topics.

Figure 8 IoT Policy for publish and subscribeFigure 8: IoT Policy for publish and subscribe

b. To attach the policy to your Cognito Identity, begin by retrieving the Cognito Identity Id from AWSMobileClient.

AWSMobileClient.default().getIdentityId();

c. Then, you need to attach the myIOTPolicy policy to the user’s Cognito Identity Id with the following AWS CLI command:

aws iot attach-principal-policy --policy-name 'myIOTPolicy' --principal '<YOUR_COGNITO_IDENT

Step 6. Publish/Subscribe to test topics (optional)

1. Go to the AWS IoT Console page under MQTT test client, and go to the publish to a topic section to publish messages to the mobile app.

2. Subscribe to MQTT topics in order to receive messages

a. Open the AWS IoT console.

b. In the navigation pane, select Test.

c. In Subscribe to a topic, enter ‘#‘ to capture all topics.

d. Choose Subscribe.

At this point, we have set up an IoT integration with the iOS app for our telemetry connectivity.

Cleanup

If you followed the proposed solution described in this blog, complete the following steps to avoid incurring unwanted charges to your AWS account.

Amazon Cognito

  • Delete the User pool example-user-pool and client app example-app-client
    • Navigate to Amazon Cognito > Userpools > Select the userpool and > Delete user pool. this will delete the client app and the userpool
  • Delete the Identity pool testpool
    • Navigate to Amazon Cognito > Identity pools > Select the Identity pools and > Delete

AWS IAM

  • Delete the role: testrole
    • Navigate to IAM > roles and delete the created role

Benefits

The benefits for the solution to customers may include the following:

1. The solution helps enable scalable and simplified authentication when connecting iOS applications, particularly those in the automotive industry, to AWS IoT Core. It circumvents the need for per-user provisioning or managing X.509 certificates, which can become cumbersome at large scales. Instead, it utilizes Amazon Cognito Identity Pools to provide temporary, limited guest access without requiring a login.

2. The solution uses several AWS services to help provide a comprehensive and secure IoT integration for iOS apps. AWS IoT SDK for iOS offers libraries to seamlessly interact with AWS IoT Core.

3. This solution can be used by automotive companies to help support their IoT use cases such as vehicle software updates, usage-based insurance models, vehicle diagnostics, and ensuring the security of connected vehicles, applications, and user data.

Conclusion

Securely connecting car applications to the cloud is crucial for helping automakers enable their modern automotive capabilities such as remote diagnostics, OTA updates, and more optimized navigation. This blog post demonstrated how automakers may achieve a more scalable and secure authentication mechanism for an iOS app connecting to AWS IoT Core using AWS Cognito Identity Pools. The post walked through integrating an iOS app with Cognito Identity Pools, establishing an MQTT connection over WebSocket to AWS IoT Core, and setting appropriate IAM policies for publishing/subscribing to IoT topics. Overall, this architecture enables secure, scalable connectivity between automotive iOS apps and the AWS cloud for exchanging IoT data bidirectionally. To get hands on experience with Amazon Cognito refer to this workshop and to build an end to end mobile iOS app to connect AWS IoT Core refer to this guide.

Chirayu Parikh

Chirayu Parikh

Chirayu Parikh is a Senior Technical Account Manager based in Collegeville, Philadelphia. He works within AWS Enterprise Support's Automotive Strategic Industries organization, supporting large automotive companies with their cloud journey. Prior to joining AWS, he spent over a decade helping customers with enterprise networking solutions.

Vanshaj Kochar

Vanshaj Kochar

Vanshaj Kochar is a Solutions Architect working in Automotive and Manufacturing IBU who helps customer build secure, scalable and robust cloud solutions on AWS cloud. With a background in Electronics and Embedded Engineering he is an active contributor to the Automotive and IoT technical field community. He also is engaged with AWS Educate initiative to upskill Canadian University Students on cloud skills.