Android user input sanitization for web service call

Question

I'm fairly new to Android programming, so this may be a simple question, but I haven't found the answer yet. Basically, I'm calling a C# webservice that expects xml. I'm leery of sending unfiltered user input. There are quite a few places where I have to do this, but the login is a good example:

Here's a rough version of what I've currently got (cobbled together from other SO examples):

String userName = "MyUserName";
String password= "MyPassword";
String url = "http://mywebserviceurl.com/auth;
String xml = "<AuthenticateModel xmlns=\"http://schemas.datacontract.org/2004/07/Mycompany.Auth.Lib\">\n" +
            "  <EmailAddress>" + userName + "</EmailAddress>\n" +
            "  <EncodedPassword>" + password + "</EncodedPassword>\n" +
            "</AuthenticateModel>";

HttpClient httpclient = new DefaultHttpClient();
HttpPost post = new HttpPost(url);
StringEntity str = new StringEntity(xml);
str.setContentType("application/xml; charset=utf-8");
str.setContentEncoding(new BasicHeader(HTTP.CONTENT_TYPE,"application/xml; charset=utf-8"));
post.setEntity(str);
HttpResponse httpResponse = httpclient.execute(post);

It works great. The user info is handled on the server side, but it sure seems like a bad idea to send it completely unfiltered. I'd appreciate the feedback.

Additionally: I store the username in the application preferences, so it's not just the webservice that I am concerned about. Thanks!

Answer 1

It looks like this call is vulnerable to XML Injection, but this also useless to an attacker.

An attacker is just going to access this C# webservice directly. No one cares about the request your client is building. You need to make sure the service is protecting its self form common vulnerabilities like SQL Injection, command injection and Directory Traversal.