Security and vulnerability


(Jiri) #1

Hello,

we are now considering to use REALM for a serious project. We work for a huge corporation which is full of processes so we cannot just use some open-source project.

When going through the process of requesting permission to use REALM, our security department replied they need to see the security study

  • results of the security code review (both automated and manual)
  • results of the penetration testing (when the database is encrypted, which is one of our main goals)
  • list of known vulnerabilities brought by the use of the REALM library (I only found this https://github.com/realm/realm-java/issues/4553 and unfortunately, the replies there are quite discouraging)

I was digging around and failed to find anything like that.

I do realise that this is an open source project and that the simplest answer from the community around will be - “it is open source, you can do yourself anything with it”.

On the other hand, it seems that this project is quite serious so there could be something which I missed (OpenSSL is also open source and there is a lot of security around).

Could you please point me to it?

Otherwise, it can easily be a show-stopper for a serious project :frowning:, regardless how good the library is from functional perspective (and no, no one is going to do the study for us in a company, the budget for it exceeds writing our own special purpose storage (in the case we decide to NOT use REALM)).


(Brian Munkholm) #2

Hi Jiri!
Happy to hear you are considering using Realm for a serious project! It’s a great match as Realm is surely a very serious project backed by a very serious company :slight_smile:
But to be serious… The realm-java issue you refer to is absolutely to be ignored - it’s a false positive that often happens when those tools are applied to mobile applications. We have just updated the issue with a comment as to why.
Unfortunately doing security audits is - as you mention - very expensive. We have had that done once without any findings. But obviously any code change done since basically voids any previous assessments. So all I can say is that other very serious companies (Banks, medical companies and other financial companies) have evaluated our product and found it secure for their applications.
We are actually using OpenSSL, so perhaps you can get by with that for your assessment? All the code that interfaces with OpenSSL is public in realm-core.
As a small note, you have to consider if you trust Android or iOS as well and based on what :wink:

I hope this helps at least to clarify the current state.

EDIT: All of the above assume you are talking about the Mobile Client SDK, not the Realm Cloud (which has recently had penetration testing done by an external company).