CWE-89 | Improper Neutralization of Special Elements used in an SQL Command #726
Description
Hello!
My react native android app was audited by some security company. And they have found an issue in async-storage codebase.
I'm not sure is it real problem or not. But my employer require to fix these issues.
Could you help with it please
❖ Severity Medium
❖ Description
The mobile app uses SQLite engine which is do not have built-in security to protect databases, rather, it relies on its environment such as the operating system to provide security for database content. Furthermore, the mobile app executes raw SQL query.
❖ Impact
Inclusion of input into raw SQL queries can potentially lead to a local SQL injection vulnerability in the mobile application and a malicious user and/or attacker will typically exploit vulnerabilities in this category by supplying carefully crafted inputs to the victim but the real impact of exploiting vulnerabilities of this class are most prevalent in server-side web services. Exploitable instances also exist within mobile apps, but occurrences are less common, plus the attack surface is smaller.
❖ Remediation
1. Consider encrypt sensitive data in SQLite before storage. If you prefer not to encrypt the data yourself, SQLite has an extension called “SQLCipher” that will perform encryption.
2. Consider using prepared SQL statements beyond user's control.
▪ Example of insecure code:
db.rawQuery("SELECT username FROM users_table WHERE id =
'"+ input_id +"'");
db.execSQL("SELECT username FROM users_table WHERE id =
'"+ input_id +"'");
▪ Example of secure code
PreparedStatement pstmt = con.prepareStatement("UPDATE
EMPLOYEES SET SALARY = ? WHERE ID = ?");
pstmt.setBigDecimal(1, 153833.00)
pstmt.setInt(2, 110592)
