Find our Devices - A locator app built using Realm
Rate this code example
Introduction
This Summer, MongoDB hosted 112 interns, spread across departments such as MongoDB Cloud, Atlas, and Realm. These interns have worked on a vast array of projects using the MongoDB platform and technologies. One such project was created by two Software Engineering interns, José Pedro Martins and Linnea Jansson, on the MongoDB Realm team.
Using MongoDB Realm and React Native, they built an app to log and display the location and movement of a user’s devices in real-time on a map. Users can watch as their device’s position on the map updates in response to how its physical location changes in real life. Additionally, users can join groups and view the live location of devices owned by other group members.
In this article, I look forward to demonstrating the app’s features, discussing how it uses MongoDB Realm, and reviewing some noteworthy scenarios which arose during its development.
App overview
The project, called Find Our Devices, is an app for iOS and Android which allows users to view the live location of their devices on a map. The demo video above demonstrates some key features and shows off the intuitive UI. Users can track multiple devices by installing the app, logging in with their email, and adding the current device to their account.
For each device, a new pin is added to the map to indicate the device’s location. This feature is perfect if one of your devices has been lost or stolen, as you can easily track the location of your iOS and Android devices from one app. Instead of using multiple apps to track devices on android and iOS, the user can focus on retrieving their device. Indeed, if you’re only interested in the location of one device, you can instantly find its location by selecting it from a dropdown menu.
Additionally, users can create groups with other users. In these groups, users can see both the location of their devices and the location of other group members' devices. Group members can also invite other users by inputting their email. If a user accepts an invitation, their devices' locations begin to sync to the map. They can also view the live location of other members’ devices on the group map.
This feature is fantastic for families or groups of friends travelling abroad. If somebody gets lost, their location is still visible to everyone in the group, provided they have network connectivity. Alternatively, logistics companies could use the app to track their fleets. If each driver installs the app, HQ could quickly find the location of any vehicle in the fleet and predict delays or suggest alternative routes to drivers. If users want privacy, they can disable location sharing at any time, or leave the group.
Uses of Realm
This app was built using the MongoDB RealmJS SDK and React-Native and utilises many of Realm’s features. For example, the authentication process of registration, logging in, and logging out is handled using Realm Email/Password authentication. Additionally, Realm enables a seamless data flow while updating device locations in groups, as demonstrated by the diagram below:
As a device moves, Realm writes the location to Atlas, provided the device has network connectivity. If the device doesn’t have network connectivity, Realm will sync the data into Atlas when the device is back online. Once the data is in Atlas, Realm will propagate the changes to the other users in the group. Upon receiving the new data, a change listener in the app is notified of this update in the device's location. As a result, the pin’s position on the map will update and users in the group can see the device’s new location.
Another feature of Realm used in this project is shared realms. In the Realm task tracker tutorial, available here, all users in a group have read/write permission to the group partition. The developers allowed this, as group members were trusted to change any data in the group’s shared resources. Indeed, this was encouraged, as it allowed team members to edit tasks created by other team members and mark them as completed. In this app, users couldn't have write permissions to the shared realm, as group members could modify other users' locations with write permission. The solution to this problem is shown in the diagram below. Group members only have read permissions for the shared realm, allowing them to read others' locations, but not edit them. You can learn more about Realm partitioning strategies here.
Fixing a security vulnerability
Several difficult scenarios and edge cases came up during the development process. For example, in the initial version, users could write to the Group Membership(https://github.com/realm/FindOurDevices/blob/0b118053a3956d4415d40d9c059f6802960fc484/app/models/GroupMembership.js) class. The intention was that this permission would allow members to join new groups and write their new membership to Atlas from Realm. Unfortunately, this permission also created a security vulnerability, as the client could edit the GroupMembership.groupId value to anything they wanted. If they edited this value to another group’s ID value, this change would be synced to Atlas, as the user had write permission to this class. Malicious users could use this vulnerability to join a group without an invitation and snoop on the group members' locations.
Due to the serious ethical issues posed by this vulnerability, a fix needed to be found. Ultimately, the solution was to split the Device partition from the User partition and retract write permissions from the User class, as shown in the diagram below. Thanks to this amendment, users could no longer edit their GroupMembership.groupId value. As such, malicious actors could no longer join groups for which they had no invitation. Additionally, each device is now responsible for updating its location, as the Device partition is now separate from the User partition, with write permissions.
Conclusion
In this blog post, we discussed a fascinating project built by two Realm interns this year. More specifically, we explored the functionality and use cases of the project, looked at how the project used MongoDB Realm, and examined a noteworthy security vulnerability that arose during development.
If you want to learn more about the project or dive into the code, you can check out the backend repository here and the frontend repository here. You can also build the project yourself by following the instructions in the ReadMe files in the two repositories. Alternatively, if you'd like to learn more about MongoDB, you can visit our community forums, sign up for MongoDB University, or sign up for the MongoDB newsletter!
Rate this code example