My android app works with AWS S3. I am doing this serverless architecture, which means my app includes every information necessary to access to the AWS S3 resources including ACCESS KEY and SECRET KEY.
Obviously it would cause security issues, and Proguard is not such helpful for protecting data in String format.
It would be great if you could share your wisdom for this. I believe that there is some general way for this problem because I must not be the only who goes with Serverless architecture.
As michael-sqlbot have mentioned the Cognito is the recommended authentication way for mobile apps, however, if you can't be bothered setup up Cognito and investigating how it works you can use AssumeRoleWithWebIdentity which does not require AWS credentials to be invoked. AssumeRoleWithWebIdentity assumes requested role and generates temporary credentials valid for 1h (by default). So the only gotcha is that you need to authenticate against any OpenID Connect-compatible identity provider.