As we have seen in the previous chapter, SQLite databases are stored by default in Android in the /data/data/[package name]/databases/
location with an extension of .db
files (.db
in most of the cases in Android). Now, before we go deeper into SQLite vulnerabilities, we should get a clear understanding of SQLite statements and some of the basic commands.
Here, we have a basic Android application, which supports login and registration for the user, and uses SQLite in the backend. Follow these steps:
Let's run the application and analyze the databases created by it. You could download the vulnerable application from http://attify.com/lpfa/vulnsqlite.apk. The code sample used to create the database is as shown in the following screenshot:
This means we have seven fields with the names
id (integer)
,firstName (text)
,lastName (text)
,email (text)
,phoneNumber (text)
,username (text)
, andpassword (text)
. ThetableName
field...