The API of a mobile app I was testing is sending the AWS AccessKeyId and SecretKey used for request signing from the AWS Cognito server unencrypted (apart from the regular TLS encryption). Making it possible to re-sign all requests to their AWS Lambda API, e.g. using Burp's "AWS Signer" extension.
With this, a Man-In-The-Middle could sign all altered requests, so I wonder what the actual use case of request signing is, in this instance?
Shouldn't the AccessKeyID and SecretKey be kept secret?
The owner of the app is telling me that this is not an issue because they are following the AWS guidelines.
Is that correct? Or are they doing something wrong?
Why would they sign the requests in the first place in their mobile app? What is the use case of signing the requests, when the 'secrets' for creating a signature are distributed via the same connection in clear (except TLS)?
Is this conform with best practices, when using AWS Lambda for serverless mobile app APIs? Is request signing even useful in this instance? Most apps I have tested didn't use request signing.