SQL Injection in Android
Play Android Labs on this vulnerability with SecureFlag!
Description
SQL databases (specifically, the SQLite variant) are commonplace in the Android framework. In particular, they are used extensively by content providers, which often provide an abstraction to such databases to be used by other components of the Android operative system.
When a content provider is performing an implementation, it is not uncommon to have to interact with the database using low-level SQL queries, thus necessitating the adherence to practices that mitigate SQL injections.
Impact
In the case of SQLite databases, the impact is limited to data manipulation or leakage (i.e., there is no direct way to obtain code execution or file disclosure). However, it’s still a risk that shouldn’t be underestimated.
Prevention
Unsurprisingly, to prevent these kinds of exposures, conscientious developers must employ prepared or parameterized statements. Fortunately, the Android platform provides a number of utility query methods that accept individual components of the SQL query so that no dangerous string interpolation or escaping can be performed manually.
For example, the following vulnerable SQL query:
String sql = "SELECT * FROM users WHERE username = '" + username + "'";
db.rawQuery(sql, null);
can be rewritten as:
db.query("users", new String[]{"*"}, "username = ?", new String[]{username}, null, null, null);
References
CWE - CWE-89: Improper Neutralization of Special Elements used in an SQL Command