As we know, a majority of mobile apps run on HTML5 technology. Client-side storage has been increasingly used for user-specific data. The impact of SQL injection will be more if the application is designed to have more than one account. In order to demonstrate this vulnerability, we will be using the DVIA app that we downloaded, and we will install it to Genymotion by running the adb install
command.
Once the app is installed, select 7. Input Validation Issues – Part 1, as shown in the following screen capture:
If you go ahead and inject the SQL injection query ' OR 1=1--
, you can see all the data inside the database is displayed, as shown in this screenshot:
This attack is a local SQL injection on the lightweight mobile database SQLite. Attacks against WebView and local storage are categorized under the M7- Client-Side Injections subsection of the OWASP mobile top 10 risks section (Chapter 1, The Mobile Application Security Landscape).
If the same SQL injection attack is used...