what you don't know can hurt you

Android SDK SQL Injection

Android SDK SQL Injection
Posted Jul 28, 2014
Authored by ms

Android's SDK suffers from a SQL injection vulnerability in the delete() method.

tags | advisory, sql injection
advisories | CVE-2014-4959
MD5 | 46e98f4a41fc98329f43ab1ce2e8daec

Android SDK SQL Injection

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SECV-07-1403 - Android SQLi Api - SQL Injection on delete() method

Product description:
Android is a mobile operating system (OS) based on the Linux kernel that
is currently developed by Google. With a user interface based on direct
manipulation, Android is designed primarily for touchscreen mobile
devices such as smartphones and tablet computers, with specialized user
interfaces for televisions (Android TV), cars (Android Auto), and wrist
watches (Android Wear). The OS uses touch inputs that loosely correspond
to real-world actions, like swiping, tapping, pinching, and reverse
pinching to manipulate on-screen objects, and a virtual keyboard.
Despite being primarily designed for touchscreen input, it also has been
used in game consoles, digital cameras, and other electronics. As of
2011, Android has the largest installed base of any mobile OS and as of
2013, its devices also sell more than Windows, iOS, and Mac OS devices
combined. As of July 2013 the Google Play store has had over 1 million
Android apps published, and over 50 billion apps downloaded.[18] A
developer survey conducted in April–May 2013 found that 71% of mobile
developers develop for Android.[19] At Google I/O 2014, the company
revealed that there were over 1 billion active monthly Android users
(that have been active for 30 days), up from 538 million in June 2013.


CVE-ID: CVE-2014-4959
Affected versions: ALL

Vendor url: http://www.android.com
Vulnerability status: Not acknowledged. But Android Security will update
documentation.
Advisory url: http://www.secveritas.com/secv-071403.html

Vulnerability details:
The Android SDK offers frameworks in order for developers develop their
applications in the most secure way possible. Specifically it offers an
SQLi API this api has all methods protected by the usage of prepared
statements. Nevertheless the method delete from the class SQLiteDatabase
is not protected.

Source code:
/frameworks/base/core/java/android/database/sqlite/SQLiteDatabase.java

public int delete(String table, String whereClause, String[] whereArgs) {
1492 acquireReference();
1493 try {
1494 SQLiteStatement statement = new SQLiteStatement(this,
"DELETE FROM " + table +
1495 (!TextUtils.isEmpty(whereClause) ? " WHERE " +
whereClause : ""), whereArgs);
1496 try {
1497 return statement.executeUpdateDelete();
1498 } finally {
1499 statement.close();
1500 }
1501 } finally {
1502 releaseReference();
1503 }
1504 }

Has it can be seen the argument whereClause is concatenated into the sql
query that is build and passed for execution. Only the whereArgs
argument is passed into the statment has an binded argument being
protected against sqlInjection. This is not documented on the API
documentation and only by reviewing the source code of the SQLi API
would and developer be aware of this fact.
Since the Android SDK in general and the SQLi API in particular have a
high security awareness and all other method use indeed the prepared
statements this fact may lead developers into a false sense of security.

Workaround:
Rewrite the delete method by extending the SQLiteDatabase class.

Timeline:
15th Jul - Disclosed to Android Security
22nd Jul - Android Security denied the vulnerability requested a PoC
23rd Jul - PoC provided source code + APK
24th Jul - Android security team stated that it was not an API
vulnerability. But admit that its not documented and that it will change
documentation.
24th Jul - Android was notified of the public disclosure of this advisory.
26th Jul - Public disclosure

Credits:
MS - SecVeritas.com

SECVeritas.com is a non-profit organization that aims to give their
members contribute the internet security.

The contents of this advisory are copyright(c) 2014 SECVeritas.com
You may distribute this advisory has a whole or in parts as long has you
maintain all the credits.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJT09ojAAoJEN3eoZ/uAn51+jcIAI6ux3uu9IV67HDS8S9fscun
XaNLB5XY4xK5Rwe55PioJAO5HmzaeK4Ngz0oFuyBOtPFuKoErdu9KcGfnkdHOuee
dH1oxjRCO9ALZQqQNbE/8nJXFHO6cEsdh0UEtlIu0Nko6NVeQB3YbGbgk9Iyllrb
vx4kOv5q4mlpdS3NBwDgy/E4e+ndrfpz7fnQ82qUSEqAnvSO7DjSNlMe2t+uxxlW
5qPl+YNcdp8rDN0TV4IkDDrBQDl50pGBG6f0wuQYhFVvjE+0tzT98JBBKofC9Fbf
OMBapRIQvFZt+Hc+D+phWXNqdvGMgoz7IhHvG3sK6/sQ16grGOW4OmPMooLe8so=
=du8S
-----END PGP SIGNATURE-----



Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    0 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close