Fixing a SQL Injection Vulnerability

This information is intended for developers with app(s) that contain the SQL Injection Vulnerability.

What’s happening

One or more of your apps contain a SQL Injection vulnerability that must be fixed. Please refer to the notice on your Play Console for the deadline to fix this vulnerability. After this deadline, updates to affected apps will be blocked if the vulnerability is still present. Your published APK version will remain unaffected.

Action required

Implementations of query, update, and delete in exported ContentProviders can be vulnerable to SQL Injection if they pass unsanitized inputs to SQL statements. A malicious app can supply a crafted input to access private data or corrupt database contents. You can fix this problem in the following ways:

If an affected ContentProvider  does not need to be exposed to other apps:

If an affected ContentProvider  needs to be exposed to other apps:

  • You can prevent SQL Injection into SQLiteDatabase.query by using strict mode with a projection map. Strict mode protects against malicious selection clauses and projection map protects against malicious projection clauses. You must use both of these features to ensure that your queries are safe.
  • You can prevent SQL Injection into SQLiteDatabase.update and SQLiteDatabase.delete by using a selection clause that uses "?" as a replaceable parameter and a separate array of selection arguments. Your selection clause should not be constructed from untrusted inputs.

Next Steps

  1. Update your app using the steps highlighted above.
  2. Sign in to your Play Console and submit the updated version of your app.
  3. Check back after five hours; we'll show a warning message if the app hasn't been updated correctly.

We're here to help. For clarification on steps you need to take to resolve this issue, you can contact our developer support team.

Was this article helpful?
How can we improve it?