MongoDB.live, free & fully virtual. June 9th - 10th. Register Now MongoDB.live, free & fully virtual. June 9th - 10th. Register Now

Realm security question

We are using Realm Server and have a question about security. I’m not too worried about iOS, but on Android, hacking an APK is pretty common.

Within the app, there are ways to keep from showing certain data even when they log in to the synced realm. However, if the APK was hacked (theoretically) and they had the credentials for the synced realm, could they then see and/or modify the data in the synced realm?

Thanks. --Kurt

@Kurt_Libby If a bad actor has the plaintext username & password for a syncUser of the realm object server then they will be able to login and download the synced realm unless you employ some other authentication and security mechanism like JWT, 2FA, or some other JWT implementation.

We do not store the plaintext password of the syncUser on the device so even if a bad actor compromises the device they should still not be able to login() as long as you require them to.

1 Like