Security Scan of Android App

book

Article ID: 206368

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

We are currently using Crash Analytics Android SDK 18.4.0 on our Android App.  During our security scan with Veracode, we have got the following warning.   

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

http://cwe.mitre.org/data/definitions/89.html

Description

This database query contains a SQL injection flaw. The function call constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database.

Recommendations

Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.

com.ca.mdo.j#a(java.lang.String, int) line 450

com.ca.android.app.CaMDONormalWebViewClient#onPageFinished line 61

 

 

Environment

Release : 1.0

Component : APM Agents

Resolution

New Code Fix released.  the original flagged error is gone in both 20.9.4 and 20.12.3 alpha versions of the SDK.