Android : SQLite query injection

Classification

OWASP Mobile Top 10 2014

M7-Client Side Injection

PCI DSS 4.0

6.2.4

HIPAA

§164.312 (a)(1)§164.312 (d)

CWE

CWE-89

CWE/SANS Top 25 2011

CWE-89

CWE/SANS Top 25 2021

CWE-89

Overview

The application creates an SQLite database query based on the user input. An attacker can use it to gain unauthorized access to application data.

There is an important difference between SQL injections for SQL and SQLite. In contrast to classical attacks of this type, SQLite database query injection gives an attacker unauthorized read access, but does not allow to change the state of the database.

References

OWASP Top 10 2013-A1-Injection
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
SQLiteDatabase - developer.android.com

MEDIUM

Android : SQLite query injection

Classification

Overview

References

DerScanner Severity Score

Do you want to fix Android : SQLite query injection in your application?

See also

Android : Debug mode on

Android : Error handling: generic exception

Android : HTTP usage