Easy End-to-End Encryption: Introducing ZeroKit for Realm
Realm is dedicated to helping you build great apps, and one of the ways we do that is by making it easier to work with the data that powers your apps. Instead of having to write (and maintain) fragile networking and serialization code, the Realm Mobile Platform handles that work automatically, making realtime data sync, sharing, and building server-side data features easy. And of course, we do it securely, offering HTTPS/TLS, AES-256 encryption at rest, and flexible access control features. You are freed to focus on the work that will matter to your users.
But for some apps and some use cases, you need a higher level of data security. That’s why we’re happy to announce end-to-end encryption, with Tresorit’s new ZeroKit SDK integration with the Realm Platform. Now you can easily build realtime, reactive apps that meet the standards required for handling healthcare, government, financial, and other highly sensitive data.
Understanding End-to-End Encryption
End-to-end encryption is the method of choice to protect data transmitted between devices. By encrypting data on the source device before transmission, man-in-the-middle attackers cannot decode the data if they capture it, even if the transmission route itself isn’t encrypted. Only the clients who share the crypto keys can access the information; no other sources potentially snooping traffic, including internet service providers, can see what information is contained within that data. Today, this is standard practice for encrypted chat apps like Signal, Threema, iMessage, and FaceTime.
The challenge is that end-to-end encryption requires a very extensive set of processes to implement, and that can eat up a ton of development time. And if they are not implemented and tested properly, it’s possible to leave flaws that attackers could exploit. End-to-end encryption isn’t impossible or broken—it’s just hard, and it’s important to do it right.
Tresorit + Realm Make It Easy
With the ZeroKit SDK integration for the Realm Mobile Platform, Tresorit built an exceptionally simple, secure, and scalable integration with Realm. Building on their depth of knowledge in building cloud security services, the ZeroKit SDK makes end-to-end encryption accessible to all development teams.
At the core of ZeroKit is an SDK that provides a secure user auth service with end-to-end encryption functionality. This enables the sharing of encrypted data between devices using a single user account and also any number of other accounts which have been granted access.
ZeroKit works on the principle of using the user account system to share encryption keys between client devices. When a new user is invited to view encrypted data from another user, an encryption key is shared in order to decrypt the data. If desired, the key can also be revoked, rendering the data once more inaccessible.
Instead of completely rewriting your backend, you can integrate ZeroKit into Realm without any trouble. Combining the best of both worlds, Tresorit has set up a way to use ZeroKit to perform end-to-end encryption in conjunction with the synchronization capabilities of the Realm Mobile Platform so that your data is end-to-end encrypted while synchronizing seamlessly, in realtime.
How It Works
How it works is actually quite simple. ZeroKit integrates itself with Realm via the Realm Mobile Platform’s ability to allow third-party services to authenticate synchronization sessions. When a user logs into Realm, they use their ZeroKit credentials, which identifies them as a unique user to the Realm Mobile Platform. Once logged in, the encryption keys for that account are made available on that device throughout the user’s login session.
After login, each time a set of data is to be saved, the developer calls a ZeroKit API to encrypt the data on the device. Behind the scenes, ZeroKit stores and uses the keys generated for the current Realm, so that developers don’t have to deal with the complexity of crypto. The encrypted data is then saved to Realm where the information cannot be read successfully by any attacker or even the server itself. To decrypt the data, the same process is repeated in reverse. If the logged-in user has access to the keychain (“tresor”) associated with the Realm, data will be seamlessly decrypted.
To share data with other user accounts, you can combine Realm’s and ZeroKit’s share permissions features. This requires Realm to share the required data and Tresorit to share the appropriate key to decrypt it. The guest user can now read the data with both components. You can also revoke the encryption key, meaning that even if the Realm data file lingers on the guest user’s disk, the information is rendered inaccessible.
In this way, Realm is able to synchronize data out in the open and absolutely nothing in Realm’s stack, or the infrastructure it is run on, is in charge of the encryption. What’s even more exciting is that ZeroKit was built in a way that even Tresorit doesn’t have access to the keys because they are stored encrypted with a secret derived from the ZeroKit user’s password. And Tresorit doesn’t have access to the password either: this is what they call “zero knowledge” service. ZeroKit uses Augmented Password-authenticated Key Agreement (APAKE) protocols to achieve this.
Although end-to-end encryption is all about client-side data access with servers that can’t decrypt data, you don’t have to encrypt everything this way. You can decide to only encrypt sensitive data end-to-end; the rest, you can access on your Realm Object Server. However, if you still need to access encrypted data on the server, you can use ZeroKit’s Node SDK, which enables you to log in a ZeroKit user on the server. Storing the password of this special server user is a task you need to plan carefully though, or ask the Tresorit team’s advice on best practices using Hardware Security Modules and other tricks to keep your product secure.
Combining Realm and Tresorit’s solutions is exceptionally advantageous for use cases requiring enhanced security. In order to compromise data in this architecture, an attacker must both compromise your data and separately steal the keys from every single user, one by one, on their client devices to decrypt it. It’s really fantastic for Tresorit to show us how easy it was to integrate their services into our own, and together, they provide a level of security that is absolutely unparalleled.
The solution is ready for you to experiment with today, just remember you’ll need to do a few more steps before taking the end product into live production to ensure your users’ privacy: for example writing code to validate your users’ email/phone number after registration and arranging certs on your servers. Details are covered in ZeroKit’s documentation.
If you’re building an app dealing with highly sensitive data, we definitely recommend you check out ZeroKit and give it a try!