Security concerns for Realm

d33p · August 28, 2023, 4:07pm

I’m considering using Realm for a SAAS web application which also has a desktop application/client as well. But, is Realm really an appropriate choice for commercial software? The ability to use the Realm app object and then invoke queries, setup watches on backend data, etc is great and convenient. But, from a security perspective how is this a best practice to expose directly in my web applications where any casual View Source will reveal my backend app name, my backend document names and the exact field names as well?

Am I misinpreting the use case for Realm? Is it more designed for mobile apps where viewing source isn’t possible or for internal corporate apps that live behind a firewall, inside a private network?

I’m building a commercial app that will be run in a web browser (I’m using JS Realm SDK) and on desktop (I’m using electron and soon will replace that with a C++ based host but currently I’m using the Node JS SDK) and I’ve always, like everyone else, used an API for my app’s to keep backend details out of the client code/hard-coded string values for document queries, etc. I don’t feel comfortable exposing this much detail about my backend.

Obviously, I could put my own API in front of every query to Mongo or I could use Realm App Functions potentially as well and put all document names / fields in those Node functions. But, I’m just doing a quick sanity check on security architecture and expected use cases for Realm.

Anyone else have any concerns or public facing apps with Realm?

Jay · August 28, 2023, 6:16pm

Some good thoughts in your question. There are a bunch of technical answers but let me provide our take on it (we are not MongoDB Realm employees)

Why would you think it’s not?

That’s pretty much how browsers / web apps work. The code has to go somewhere but the bigger picture is; who cares if an end user sees a field name is ‘user_name’…

It’s designed for all kinds of apps from desktop to mobile apps to web apps and more. If it was only designed for mobile there wouldn’t be all the flavors of SDKs; Swift, .net, web, flutter, node etc

Sounds exciting! You can expose as much or as little as you want. You could craft an app made entirely of calls to Atlas using Application Services only if the use case fits (I am not recommending that)

We don’t have any concerns but it’s a absolutely valid question. Do you have a specific example of a security issue? Or perhaps some example code of where you feel a bad actor could/would hijack your app or access sensitive data?

I think looking at a specific use case may reveal more about potential security issues.