Secure Realm Encryption Key for Android Applications

Nowadays, data security for Android applications is one of the main challenges for Android developers. A big part of data security involves the device's database. Android recommended an SQLite database but it will not provide any default encryption features for data security. Some database libraries provide default encryption features. Realm is one of those databases.

For encrypting a Realm database, you have to set an encryption key to the Realm configuration. This key will be used to encrypt/decrypt whole Realm databases. If anyone gets the encryption key, your data security will be vulnerable. So the encryption key should be secured first in order to secure the whole Realm database.

Realm encryption key can be secured in the following way:

1. Use an Android provided key from the key store private certificate.

2. Get a key from a remote source and secure it.

Method 1

Android OS provides a secure/private certificate through the Android keystore. It is an easy way to get a key from Android's private certificate.

public byte[] getSecureKey() {
        try {
            KeyStore.PrivateKeyEntry privateKeyEntry = getSecretKey();

            if (privateKeyEntry == null) {
                Log.d("key","key not found");

                return null;
            }
            Certificate cert = privateKeyEntry.getCertificate();

            if (cert == null) {
                Log.d("key","certificate not found");

                return null;
            }

            return cert.getEncoded();
        } catch (CertificateException e) {
            throw new RuntimeException(e);
        }
    }

Method 2

There's a problem with Method 1. If the keystore provided a private certificate that gets invalidated or corrupted for any reason (OS update or any bug), then all the data in the Realm DB will be corrupted. No data can be decrypted without a key. If data should not be lost on any condition, then Method 1 should not be used. In that case, Method 2 would be more appropriate. The following steps can be used in Method 2:

• Generate a 64-byte random encryption key.

• Encrypt the encryption key using the Android key store certificate and store it in the device's shared preferences.

• Upload the encryption key to a remote source (it can be your own server or any cloud source).

    public byte[] getSecureRealmKey() {
        String key = getSharedPreference().getString(REALM_ENCRYPTION_KEY, null);

        if (TextUtils.isEmpty(key)) {
            return createRealmKey(context);
        }

        return encryptionProvider.decrypt(key);
    }

    private void setRealmKey(byte[] key) {
        SharedPreferences.Editor editor = getSharedPreference().edit();
        editor.putString(REALM_ENCRYPTION_KEY, encryptionProvider.encrypt(key));
        editor.apply();
    }

    private byte[] createRealmKey(Context context) {
        byte[] key = new byte[64];
        SecureRandom secureRandom = new SecureRandom();
        secureRandom.nextBytes(key);
        setRealmKey(key);

        return key;
    }

    private SharedPreferences getSharedPreference() {
        return context.getSharedPreferences(PREFERENCES_KEY, Context.MODE_PRIVATE);
    }

In case the Android keystore certificate gets invalidated, your data can be restored by using the remote key.
There is a third-party library that can help you to acheive this.