Discussion:
[android-security-discuss] Not able to publish my apk. keep getting SQL Injection issues
Biswajit Das
2018-09-21 22:58:01 UTC
Permalink
am not able to publish my apk to Google playstore. Getting SQL Injection
error. Your app(s) are using a content provider that contains a SQL
Injection vulnerability. Below is the response I have got from *Google Play
support*

I understand you have some questions about the SslErrorHandler security vulnerability.
I took a look at your app, and has the following class, which contains a vulnerable version of SslErrorHandler: xxxxxx/xxxxxxxx/provider/WorldClockContentProvider;->query
Here’s how you can resolve this issue:1. To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.2. If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.

Here is my complete code snippit
<https://gitlab.com/bisasda/worldclockwidget/snippets/1755782> and given
below. query method. Any help appriciated.



public Cursor query(Uri uri, String[] projection, String selection,
String[] selectionArgs, String sortOrder) {
String table;
SQLiteOpenHelper helper;
int match = URI_MATCHER.match(uri);

switch (match) {
case CLOCKS:
case CLOCKS_ITEM:
table = Clocks.TABLE_NAME;
helper = getClockDbHelper();
break;
case CITIES:
case CITIES_ITEM:
table = Cities.TABLE_NAME;
helper = getCityDbHelper();
break;
default:
throw invalidUri(uri);
}

switch (match) {
case CLOCKS:
case CITIES:
if (TextUtils.isEmpty(sortOrder)) {
sortOrder = "_ID ASC";
}
break;
case CITIES_ITEM:
case CLOCKS_ITEM:
selection = "_ID = " + uri.getLastPathSegment();
break;
default:
throw invalidUri(uri);
}

SQLiteDatabase db = helper.getReadableDatabase();

Cursor c = db.query(table, projection, selection, selectionArgs, null, null, sortOrder);
c.setNotificationUri(getContext().getContentResolver(), uri);
return c;
}
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
'Brian Carlstrom' via Android Security Discussions
2018-09-24 05:55:22 UTC
Permalink
Sounds like we need to see WorldClockContentProvider and a proceed()
method. Presumably you have some code ignoring SSL errors. Doesn't seem to
have anything to do with SQL injection errors. Perhaps see
https://stackoverflow.com/questions/35720753/android-google-play-warning-ssl-error-handler-vulnerability

-bri
Post by Biswajit Das
am not able to publish my apk to Google playstore. Getting SQL Injection
error. Your app(s) are using a content provider that contains a SQL
Injection vulnerability. Below is the response I have got from *Google
Play support*
I understand you have some questions about the SslErrorHandler security vulnerability.
I took a look at your app, and has the following class, which contains a vulnerable version of SslErrorHandler: xxxxxx/xxxxxxxx/provider/WorldClockContentProvider;->query
Here’s how you can resolve this issue:1. To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.2. If you are using a 3rd party library that’s responsible for this, please notify the 3rd party and work with them to address the issue.
Here is my complete code snippit
<https://gitlab.com/bisasda/worldclockwidget/snippets/1755782> and given
below. query method. Any help appriciated.
public Cursor query(Uri uri, String[] projection, String selection,
String[] selectionArgs, String sortOrder) {
String table;
SQLiteOpenHelper helper;
int match = URI_MATCHER.match(uri);
switch (match) {
table = Clocks.TABLE_NAME;
helper = getClockDbHelper();
break;
table = Cities.TABLE_NAME;
helper = getCityDbHelper();
break;
throw invalidUri(uri);
}
switch (match) {
if (TextUtils.isEmpty(sortOrder)) {
sortOrder = "_ID ASC";
}
break;
selection = "_ID = " + uri.getLastPathSegment();
break;
throw invalidUri(uri);
}
SQLiteDatabase db = helper.getReadableDatabase();
Cursor c = db.query(table, projection, selection, selectionArgs, null, null, sortOrder);
c.setNotificationUri(getContext().getContentResolver(), uri);
return c;
}
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
Loading...