Skip to content

MASTG-TEST-0339: SQL Injection in Content Providers

Overview

Android applications can share structured data via ContentProvider components. However, if these providers create SQL queries using untrusted input from URIs without adequate validation or parameterization, they risk becoming susceptible to SQL injection attacks.

Steps

  1. Reverse engineer the app ( Reverse Engineering Android Apps).
  2. Run static analysis ( Static Analysis on Android) to search for unsafe SQL construction in ContentProviders.

Observation

The output should contain a list of locations where user-controlled input from URIs or selection arguments is concatenated into SQL queries, for example via Uri.getPathSegments() and SQLiteQueryBuilder.appendWhere().

Evaluation

The test case fails if:

  • Untrusted user input (e.g., from getPathSegments()) is directly concatenated into SQL statements.
  • The app uses appendWhere() or builds queries unsafely without sanitization or parameterization.

Best Practices

MASTG-BEST-0039: Prevent SQL Injection in ContentProviders

Demos

MASTG-DEMO-0102: SQL Injection via URI Path and Selection in Android Content Providers