Skip to content

MASTG-TEST-0339: SQL Injection in Content Providers

Overview

Android applications can share structured data via ContentProvider components. However, if these providers create SQL queries using untrusted input from URIs without adequate validation or parameterization, they risk becoming susceptible to SQL injection attacks.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain a list of locations where user-controlled input from URIs or selection arguments is concatenated into SQL queries, for example via Uri.getPathSegments() and SQLiteQueryBuilder.appendWhere().

Evaluation

The test case fails if:

  • Untrusted user input (e.g., from getPathSegments()) is directly concatenated into SQL statements.
  • The app uses appendWhere() or builds queries unsafely without sanitization or parameterization.

Best Practices

MASTG-BEST-0039: Prevent SQL Injection in ContentProviders

Demos

MASTG-DEMO-0102: SQL Injection via URI Path and Selection in Android Content Providers