Security flag fstack-protector Realm library Android

Question

I developed an android application and a security team realized a security testing and sent me a vulnerability that doesn't have "-fstack-protector" option the Realm library. the original message: "stack canaries can greatly increase the difficulty of exploiting a stack buffer overflow because it forces the attacker to gain control of the instruction pointer by some non-traditional means such as corrupting other important variables on the stack. Built with option -fstack-protector"

ib/x86_64/libtool-checker.so lib/x86_64/librealm-jni.so lib/x86/libcrashlytics-envelope.so lib/x86/librealm-jni.so lib/armeabi/librealm-jni.so lib/armeabi-v7a/librealm-jni.so lib/arm64-v8a/librealm-jni.so lib/mips/librealm- jni.so

my question is if a reason why doesn't it have it? or what can i do? or if exists a risk?

Answer 1

Copy paste from: https://github.com/realm/realm-java/issues/4553

As a general purpose project, we have to continuously evaluate the trade-off between performance and safety. In this case you are talking about a program running on a mobile device, so if an attacker has the level of access to attack an app with Realm, they already have access to modify/see the Realm file using normal API's. None of the Java API's would allow this kind of attack vector.

That said, we haven't really tried to enable this setting and we would need to test what difference it does to our binary size as well as the performance before being able to commit to anything.

Both Realm Java and Realm Core is open source though, so if you want to, you add this flag to both places in order to build your own version of Realm