This information is intended for developers with app(s) that contain the SQL Injection Vulnerability.
What’s happening
One or more of your apps contain a SQL Injection vulnerability that must be fixed. Vulnerable locations in your app can be found in the Play Console notification for your app. If a location ends with “(in dynamically loaded code)” then the location is in code dynamically loaded by the app or by libraries used by the app. Applications typically use dynamically loaded code through on-demand feature delivery, though other unrecommended techniques exist (some unrecommended techniques also violate the Google Play policy and should not be used). Additionally, packers can transform application code into dynamically loaded code.
After the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.
Action required
- Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
- Update your affected apps and fix the vulnerability.
- Submit the updated versions of your affected apps.
Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.
Additional details
Implementations of query
, update
, and delete
in exported ContentProviders
can be vulnerable to SQL Injection if they pass unsanitized inputs to SQL statements. A malicious app can supply a crafted input to access private data or corrupt database contents. You can fix this problem in the following ways:
If an affected ContentProvider
does not need to be exposed to other apps:
- You can modify the
<provider>
tag of the affectedContentProvider
in your Manifest to setandroid:exported="false"
. This will prevent other apps from sending Intents to the affectedContentProvider
. -
You can also set the
android:permission
attribute to be apermission
withandroid:protectionLevel="signature"
to prevent apps written by other developers from sending Intents to the affectedContentProvider
.
If an affected ContentProvider
needs to be exposed to other apps:
- You can prevent SQL Injection into
SQLiteDatabase.query
by using strict mode with a projection map. Strict mode protects against malicious selection clauses and projection map protects against malicious projection clauses. You must use both of these features to ensure that your queries are safe. - You can prevent SQL Injection into
SQLiteDatabase.update
andSQLiteDatabase.delete
by using a selection clause that uses"?"
as a replaceable parameter and a separate array of selection arguments. Your selection clause should not be constructed from untrusted inputs.
We’re here to help
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.