0

Recently while source code audit of my android application auditors have raised few points like path manipulation, privacy violation attacks?

I have been searching for proper solutions since last few days but couldn't find any fruitful solution. Please provide me solutions for below queries.

1. File f = new File("filepath");

how to prevent attacker from manipulating filepath ?

2. private void selectDataFromDB(String param1,String param2){
  sqlitedatabase.query("Select * from tbl1 where col1 LIKE ? and colu2 LIKE   ?",new String[]{param1,param2});
}

how to validate parameters such that attacker cannot change this parameter ? Input sanitization ? How to apply it?

Edit1:

The method selectDataFromDB() in MyActivity.java mishandles confidential information, which can compromise user privacy and is often illegal.

Nikunj
  • 3,937
  • 19
  • 33
jil123
  • 99
  • 1
  • 12
  • I think you need to ask clearer questions. While select * is a little bad on the db (you should request column names) so long as you're using bind variables (like you are), the SQL statement is fine. You should probably add a null check, possibly a check for empty string (unless you're ok with everything being a match), but the SQL is ok. – Gabe Sechan Jul 17 '18 at 05:20
  • Thank you so much @GabeSechan . I have already check null for parameters before calling such methods but auditors do not consider it appropriate. Please help me to get out of it. I've updated my question. – jil123 Jul 17 '18 at 05:23
  • Then ask you're auditors what's wrong. Because I see nothing in appropriate. If you're actually talking to auditors they'll tell you what the reason is. But there is no risk of sql injection there. My best guess from your edit is that you're requesting too much info with * and they would prefer you request less. – Gabe Sechan Jul 17 '18 at 05:25
  • They proposed me to apply input sanitization. I have checked multiple links but couldn't find anything. In php there is a default function which can check for special character but not in android. – jil123 Jul 17 '18 at 05:56

1 Answers1

0

They proposed me to apply input sanitization.

You don't need to sanitize inputs when you use query parameters. That's one of the best reasons to use parameterized SQL statements. It's not possible for the value of a query parameter to change the SQL syntax.

It's possible that your auditors don't understand how SQL injection works.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828