SQL Injection in Mobile Context
While SQL injection is often associated with web applications, mobile apps are equally vulnerable when they use local databases or communicate with backend APIs.
Attack Vectors
Local Database Injection
SQLite databases on mobile devices are vulnerable:
// VULNERABLE CODE
String query = "SELECT * FROM users WHERE id = '" + userId + "'";
db.rawQuery(query, null);
API Parameter Injection
Backend APIs that don't properly validate mobile input:
POST /api/search
{"query": "' OR '1'='1' --"}
Content Provider Injection (Android)
Improperly secured content providers:
content://com.app.provider/users/' OR '1'='1
Prevention
Use Parameterized Queries
// SECURE CODE
String query = "SELECT * FROM users WHERE id = ?";
db.rawQuery(query, new String[]{userId});
ORM Usage
Use ORMs that handle parameterization:
- Room (Android)
- Core Data (iOS)
- SQLDelight
Input Validation
Always validate input:
- Type checking
- Length limits
- Whitelist allowed characters
- Reject suspicious patterns
Content Provider Security
<provider
android:name=".MyProvider"
android:exported="false"
android:permission="com.app.PRIVATE" />
Testing for SQL Injection
Automated Testing
Use tools like:
- sqlmap
- appaudix scanner
- OWASP ZAP
Manual Testing
Test inputs with:
- Single quotes
- SQL keywords
- Time-based payloads
- Boolean conditions
Detect SQL injection vulnerabilities automatically. Scan your app.