CWE-89 | Improper Neutralization of Special Elements used in an SQL Command

[mr-africa]

Hello!

My react native android app was audited by some security company. And they have found an issue in async-storage codebase.

I'm not sure is it real problem or not. But my employer require to fix these issues.

Could you help with it please

❖ Severity Medium

❖ Description
The mobile app uses SQLite engine which is do not have built-in security to protect databases, rather, it relies on its environment such as the operating system to provide security for database content. Furthermore, the mobile app executes raw SQL query.

❖ Impact
Inclusion of input into raw SQL queries can potentially lead to a local SQL injection vulnerability in the mobile application and a malicious user and/or attacker will typically exploit vulnerabilities in this category by supplying carefully crafted inputs to the victim but the real impact of exploiting vulnerabilities of this class are most prevalent in server-side web services. Exploitable instances also exist within mobile apps, but occurrences are less common, plus the attack surface is smaller.

❖ Remediation

1. Consider encrypt sensitive data in SQLite before storage. If you prefer not to encrypt the data yourself, SQLite has an extension called “SQLCipher” that will perform encryption.

2. Consider using prepared SQL statements beyond user's control. 

▪ Example of insecure code:
      db.rawQuery("SELECT username FROM users_table WHERE id =
 '"+ input_id +"'");
 db.execSQL("SELECT username FROM users_table WHERE id =
 '"+ input_id +"'");

▪ Example of secure code
 PreparedStatement pstmt = con.prepareStatement("UPDATE
 EMPLOYEES SET SALARY = ? WHERE ID = ?");
 pstmt.setBigDecimal(1, 153833.00)
 pstmt.setInt(2, 110592)

[krizzu]

Hey @mr-africa

Like the report says, AsyncStorage on Android is using built-in SQLite, which is not encrypting data by default. There is an option use use SQLCipher, but that'd require forking AsyncStorage and doing changes on it (as we provide SQLite as is, which should not be big security concern).

Also, AsyncStorage does not let you run raw queries. Everything is abstracted away and injection is not possible.