Want to keep learning?

This content is taken from the University of Southampton's online course, Secure Android App Development. Join the course to learn more.

Fixing the SQL vulnerability

Fortify shows there are SQL injection vulnerabilities in DBclass.java.

We will concentrate on the vulnerability in the searchpass() method, as this is the one we exploited.

As you can see, BuggyTheApp uses the user input to generate a query without performing any checking on what the user enters. This is how we were able to attack Buggy!

Parameterised SQL queries

To solve this we can use a parameterised SQL query, where the user input is always treated as data, never as commands.

Parameterised queries use placeholders which will be replaced by user input when the query is sent to the database. These placeholders (parameters) can only bind to data.

This means the code is able to tell the database exactly which are the SQL commands (specified by the app code), and which are the data (user supplied values). This will prevent the database from treating data as SQL commands.

Fixing BuggyTheApp

Using the recommendations from Audit Workbench we can fix searchpass() as follows:

//Buggy code commented out
//String searchquery="select * from "+DATABASE_TABLE+" where username ='"+loginUsername+"' and password='"+loginpass+"';";
//Cursor cursor=db.rawQuery(searchquery,null);

Cursor cursor=db.rawQuery("select * from "+DATABASE_TABLE+" where "+ "username=? and password=?",
                          new String [] {loginUsername, loginpass});

We can now use Fortify to check that our fix actually works!

Share this article:

This article is from the free online course:

Secure Android App Development

University of Southampton