Reputation:
What makes an Android application vulnerable to SQL Injection?
Definition of SQL Injection
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
How SQL Injection impacts the Android O.S
The SQLite used in android apps are fully functional databases, so just like SQL Server or MySQL box they can be susceptible to SQL injection. SQL injection typically works by adding data to the query string or adding data in a form field; to give hackers access to a database or unauthorized logins. SQL Injection is usually used to attack Web Views or a web service but it can also be used to attack Activities.
The root cause of the SQL Injection vulnerability is due to the use of dynamic or concatenated SQL queries. If SQL queries are constructed by concatenating user supplied inputs; The user can then supply SQL attack vectors instead of valid inputs and manipulate the backend SQL query.
The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the injected string is terminated with a comment mark “–”. Subsequent text is ignored at execution time.
My Question
Although I understand what SQL Injection is and how SQL Injection can take place. I don't know what factors makes a selection of Android code vulnerable to such an attack.
Upvotes: 5
Views: 3719
Answers (4)
Reputation: 3629
Modify the <provider> tag of the affected ContentProvider in your Manifest to set
android:exported="false"
Upvotes: 0
Reputation: 349
I would say that what makes an Android application vulnerable to SQL Injection is a bad use or configuration of Content Providers in Android.
I wrote a blogpost about it recently, where I explain an example to inject SQL in Android content providers to obtain data and how to be protected against this kind of attacks, have a look at it: link
Upvotes: 2
Reputation: 42585
SQL injection is not Android specific.
In any way the answer is simple: If you combine SQL command strings with user data input (via GUI, network, ...) the wrong way your application can get vulnerable to sql injection.
The simple sulution is to use only static SQL command strings in combination with PreparedStatement. All user data and other parameters are set on the PreparedStatement after it has been compiled.
Upvotes: 5
Reputation: 369
Well if your code takes variables like username and password and your app makes an sql query that just puts those variables into the sql string without sanatizing the strings first a user could inject bad code and the results could be bad. So just like with any app sanatizing user input is key to an attack being unsuccessful or not.
Upvotes: 3
Related Questions
- android: how do I replace SQLite execSQL() to avoid injection attack?
- how to prevent sql injection attack in android?
- Vulnerable to SQL Injection?
- Active Android is it prone to SQL injections. Any known solution?
- How does complileStatement help prevent SQL injection in android?
- Is this Android SQL statement vulnerable to SQL injection?
- SQL Injection and possible attacks
- Does SQLiteDatabase.insert() prevent SQL injection attacks?
- SQL parameterized queries in Android
- Safe user input