threat-modeling.md

Threat Model Analysis for realm/realm-java

Threat: Unencrypted Realm Database on Disk

• Description: Realm Java, by default, stores databases unencrypted on the device's file system. An attacker gaining unauthorized access to the device (physical access or via malware) can directly read the entire Realm database file. This allows them to bypass application security and access all stored data using tools like Realm Studio.
• Impact: Critical Confidentiality Breach. Complete and immediate disclosure of all sensitive data stored within the Realm database. This is a critical risk if sensitive user data, application secrets, or any confidential information is stored in Realm without encryption.
• Realm-Java Component Affected: Core Realm Database File Storage (default behavior).
• Risk Severity: Critical (When sensitive data is stored and encryption is not enabled).
• Mitigation Strategies:
  • Mandatory Realm Encryption: Always enable Realm database encryption by providing a strong encryption key during Realm configuration using RealmConfiguration.Builder.encryptionKey(). This is the most crucial mitigation.
  • Secure Encryption Key Generation and Storage: Generate a cryptographically strong, random encryption key (256-bit AES recommended). Securely store this key using Android Keystore or a similar secure hardware-backed storage mechanism. Avoid hardcoding the key directly in the application code.

Threat: Weak Encryption Key or Algorithm

• Description: If a weak or easily guessable encryption key is used with Realm's encryption feature, or if Realm were to utilize a vulnerable encryption algorithm (unlikely in current versions, but a potential future risk if not kept updated), an attacker could potentially brute-force the key or exploit algorithmic weaknesses to decrypt the Realm database.
• Impact: High to Critical Confidentiality Breach. Successful decryption of the Realm database, leading to unauthorized access to sensitive data. The severity depends on the weakness of the key or algorithm exploited.
• Realm-Java Component Affected: Realm Encryption Module.
• Risk Severity: High (If a weak encryption key is used). Potentially Critical (If a fundamental vulnerability in the encryption algorithm were to be discovered in Realm itself).
• Mitigation Strategies:
  • Use Strong, Random Keys: Ensure the encryption key provided to RealmConfiguration.Builder.encryptionKey() is generated using a cryptographically secure random number generator and is of sufficient length (256-bit AES key is recommended).
  • Stay Updated with Realm Library: Regularly update the Realm Java library to the latest stable version. This ensures you benefit from any security patches and algorithm updates implemented by the Realm team.
  • Monitor Security Advisories: Keep informed about any security advisories or recommended practices related to Realm's encryption features from official Realm channels.

Threat: Data Leakage through Verbose Realm Logging in Production

• Description: Realm Java provides logging capabilities for debugging and development. If verbose logging is unintentionally left enabled in production builds, sensitive data from Realm queries, object properties, or internal operations might be written to application logs or system logs. An attacker gaining access to these logs could extract sensitive information.
• Impact: High Confidentiality Breach. Exposure of sensitive data through logs can lead to unauthorized disclosure. The severity is high as logs can contain detailed information about data and application behavior.
• Realm-Java Component Affected: Realm Logging Module.
• Risk Severity: High (If verbose Realm logging is enabled in production builds).
• Mitigation Strategies:
  • Disable Verbose Realm Logging in Production: Ensure that verbose Realm logging is completely disabled in release builds of your application. Use build configurations or conditional logic to control logging levels based on build type (debug vs. release).
  • Review Logging Configuration: Double-check your application's logging configuration to confirm that Realm's verbose logging is not inadvertently enabled in production.
  • Sanitize Logs (General Best Practice): Even with logging disabled, as a general security practice, avoid logging sensitive data directly in any part of your application, including interactions with Realm.

Threat: Realm Library Vulnerabilities

• Description: Like any software library, Realm Java might contain undiscovered security vulnerabilities. These vulnerabilities could potentially be exploited by attackers to bypass security measures, gain unauthorized access to data, cause application crashes, or even execute arbitrary code within the application's context.
• Impact: Potentially Critical Confidentiality, Integrity, and Availability Breach. The impact depends heavily on the nature and severity of the vulnerability. Critical vulnerabilities could lead to remote code execution or complete data compromise.
• Realm-Java Component Affected: Entire Realm Java Library.
• Risk Severity: Potentially Critical (If a critical vulnerability is discovered and exploited).
• Mitigation Strategies:
  • Proactive Realm Library Updates: Establish a process for regularly updating the Realm Java library to the latest stable version. This is crucial to benefit from security patches and bug fixes released by the Realm maintainers.
  • Vulnerability Monitoring: Actively monitor security advisories and vulnerability databases for any reported vulnerabilities related to Realm Java. Subscribe to Realm's official release notes and security announcements.
  • Security Testing and Code Reviews: Incorporate security testing (including static and dynamic analysis) and thorough code reviews into your development lifecycle to identify potential vulnerabilities in your application's usage of Realm and in the Realm library itself (if possible within your testing scope).