Skip to content

Latest commit

 

History

History
59 lines (48 loc) · 6.85 KB

threat-modeling.md

File metadata and controls

59 lines (48 loc) · 6.85 KB

Threat Model Analysis for realm/realm-swift

Threat: Direct File Access (Unencrypted Realm)

  • Description: An attacker gains physical access to the device (or a compromised device with root/jailbreak access) and uses file browsing tools or debugging techniques to locate and copy the .realm file. The attacker then uses Realm Studio or other tools to open and inspect the unencrypted database.
  • Impact: Complete exposure of all data stored in the Realm database, including sensitive user information, application state, and potentially credentials if improperly stored.
  • Affected Component: Realm Core Database Engine (file storage layer). Specifically, the unencrypted .realm file itself.
  • Risk Severity: Critical (if sensitive data is stored without encryption). High (if non-sensitive data is stored, but still a significant breach).
  • Mitigation Strategies:
    • a. Mandatory Encryption: Always use Realm's built-in encryption (Realm.Configuration.encryptionKey).
    • b. Secure Key Storage: Store the encryption key securely using the platform's keychain (iOS) or keystore (Android). Never hardcode the key.
    • c. Key Derivation: Derive the encryption key from a user password (using a strong key derivation function like PBKDF2) or a biometric authentication prompt.

Threat: Memory Scraping (Unencrypted Data in Memory)

  • Description: An attacker uses debugging tools or memory analysis techniques on a running application (potentially on a compromised device) to extract data directly from the application's memory while Realm objects are being accessed. This bypasses file-level encryption if the data is decrypted in memory for use.
  • Impact: Exposure of sensitive data that is currently being processed by the application, even if the Realm file itself is encrypted.
  • Affected Component: Realm Core Database Engine (in-memory object representation). Specifically, the Object, List, Results, and other Realm data structures while in use.
  • Risk Severity: High.
  • Mitigation Strategies:
    • a. Minimize Data in Memory: Only load data from Realm into memory when absolutely necessary. Avoid holding large datasets in memory for extended periods.
    • b. Zeroing Memory (Advanced): Consider manually zeroing out memory containing sensitive data after it's no longer needed. This is a complex technique and requires careful implementation.
    • c. Avoid Debugging in Production: Disable debugging features in production builds to make memory analysis more difficult.
    • d. Use ThreadSafeReference Carefully: When passing Realm objects between threads, use ThreadSafeReference to avoid keeping multiple copies of decrypted data in memory.

Threat: Realm Sync - Unauthorized Access (Weak Authentication)

  • Description: An attacker uses brute-force attacks, credential stuffing, or social engineering to obtain valid user credentials for Realm Sync. The attacker then uses these credentials to access and potentially modify the user's synchronized data. This directly involves the Realm Sync client library within the app.
  • Impact: Exposure and potential modification of all data synchronized by the compromised user account.
  • Affected Component: Realm Sync client-side Authentication mechanisms (e.g., SyncUser.logIn, authentication providers as used within the Realm Swift SDK).
  • Risk Severity: Critical.
  • Mitigation Strategies:
    • a. Strong Password Policies: Enforce strong password policies for user accounts.
    • b. Multi-Factor Authentication (MFA): Implement MFA for Realm Sync to add an extra layer of security.
    • c. Account Lockout: Implement account lockout policies to prevent brute-force attacks.
    • d. OAuth 2.0 / OpenID Connect: Use industry-standard authentication protocols like OAuth 2.0 or OpenID Connect for secure authentication, integrating with the Realm Swift SDK's support for these.

Threat: Realm Sync - Data Injection (Missing Server-Side Validation, Client-Side Impact)

  • Description: Although the primary vulnerability is server-side, the client-side Realm Swift code is directly involved in sending the potentially malicious data. An attacker exploits a vulnerability in the client application or compromises a user account to send maliciously crafted data to the Realm Object Server. The server, lacking proper validation, accepts this data.
  • Impact: Data corruption, potential for server-side vulnerabilities, and propagation of malicious data to other users.
  • Affected Component: Realm Sync protocol implementation within the Realm Swift SDK (specifically, the code that handles sending data to the server).
  • Risk Severity: High.
  • Mitigation Strategies:
    • a. Client-Side Data Validation (Defense in Depth): While not a replacement for server-side validation, implement client-side data validation as a defense-in-depth measure. This can help catch some errors early and reduce the attack surface. Use Realm's schema to define constraints.
    • b. Input Sanitization (Client-Side): Sanitize any user-provided input before it's used to create or modify Realm objects. This is also a defense-in-depth measure.
    • c. Strongly Typed Models: Use strongly typed Realm models to enforce data types and constraints at the client level.

Threat: Vulnerability in Realm Swift Library

  • Description: A security researcher or attacker discovers a vulnerability in the Realm Swift library itself (e.g., a buffer overflow, a logic error, or a cryptographic weakness). This vulnerability could be exploited to gain unauthorized access to data, execute arbitrary code, or crash the application.
  • Impact: Varies depending on the specific vulnerability, but could range from data leaks to complete application compromise.
  • Affected Component: Potentially any part of the Realm Swift library (Core, Sync, Object Server client).
  • Risk Severity: Variable (depends on the vulnerability - could be High to Critical).
  • Mitigation Strategies:
    • a. Update Regularly: Keep the Realm Swift library updated to the latest version to receive security patches.
    • b. Monitor Security Advisories: Subscribe to Realm's security advisories and announcements to be notified of any vulnerabilities.
    • c. Dependency Scanning: Use a software composition analysis (SCA) tool to automatically detect outdated or vulnerable versions of Realm Swift and its dependencies.