top of page

The Best Way To Secure Realm Encryption Key For Android Apps

We take a look the highly secure Realm database and it aids in encrypting the data from an Android application.



Nowadays, data security for Android applications is one of the main challenges for Android developers. A big part of data security involves the device's database. Android recommended an SQLite database but it will not provide any default encryption features for data security. Some database libraries provide default encryption features. Realm is one of those databases.


For encrypting a Realm database, you have to set an encryption key to the Realm configuration. This key will be used to encrypt/decrypt whole Realm databases. If anyone gets the encryption key, your data security will be vulnerable. So the encryption key should be secured first in order to secure the whole Realm database.

Realm encryption key can be secured in the following way:

  1. Use an Android provided key from the key store private certificate.

  2. Get a key from a remote source and secure it.


Method 1

Android OS provides a secure/private certificate through the Android keystore. It is an easy way to get a key from Android's private certificate.


fun getSecureKey(): ByteArray? {
    return try {
        val privateKeyEntry: KeyStore.PrivateKeyEntry = getSecretKey()
        if (privateKeyEntry == null) {
            Log.d("key", "key not found")
            return null
        }
        val cert: Certificate = privateKeyEntry.getCertificate()
        if (cert == null) {
            Log.d("key", "certificate not found")
            return null
        }
        cert.getEncoded()
    } catch (e: CertificateException) {
        throw RuntimeException(e)
    }
}

Method 2

There's a problem with Method 1. If the keystore provided a private certificate that gets invalidated or corrupted for any reason (OS update or any bug), then all the data in the Realm DB will be corrupted. No data can be decrypted without a key. If data should not be lost on any condition, then Method 1 should not be used. In that case, Method 2 would be more appropriate. The following steps can be used in Method 2:

  • Generate a 64-byte random encryption key.

  • Encrypt the encryption key using the Android key store certificate and store it in the device's shared preferences.

  • Upload the encryption key to a remote source (it can be your own server or any cloud source).



fun getSecureRealmKey(): ByteArray? {
    val key = getSharedPreference().getString(REALM_ENCRYPTION_KEY, null)
    return if (TextUtils.isEmpty(key)) {
        createRealmKey(context)
    } else encryptionProvider.decrypt(key)
}

private fun createRealmKey(context: Context): ByteArray? {
    val key = ByteArray(64)
    val secureRandom = SecureRandom()
    secureRandom.nextBytes(key)
    setRealmKey(key)
    
    return key
}

private fun setRealmKey(key: ByteArray) {
    val editor = getSharedPreference().edit()
    editor.putString(REALM_ENCRYPTION_KEY, encryptionProvider.encrypt(key))
    editor.apply()
}

private fun getSharedPreference(): SharedPreferences {
    return context.getSharedPreferences(PREFERENCES_KEY, Context.MODE_PRIVATE)
}

In case the Android keystore certificate gets invalidated, your data can be restored by using the remote key. There is a third-party library that can help you to acheive this.

Comments


bottom of page