Not quite a rejection but this has come through about my latest app -------------------------------------------- SQL Injection Your app(s) are using a content provider that contains a SQL Injection vulnerability. -------------------------------------------- I can see that BT_contentProvider uses a SqlliteDatabase - BT_database and that class extends SQLiteOpenHelper Is this notice telling us that SQLiteOpenHelper needs to be replaced? or that we're using it wrongly? I'm happy to use prepared statements instead, I just don't have an understanding of where they're meant to be and what they're really doing. The only thing being saved is the config file afaik. Has anyone else had this warning and what have you done to resolve the problem?

Hi Sarah, I just received the same warning/rejection for a newly uploaded Android app. I made the same research steps... and don't want to dive too much into the SQL sources (at least in this aspect that I dont understand too much). My question: Did you follow the link that was given in the rejection notice (https://support.google.com/faqs/answer/7668308). Here, they propose to set android:exported="false" in Manifest.xml if the app does not allow other apps to use the ContentProvider externally. That might be an easy way to solve the problem. But as far as I can see, this issue should show up for _all_ Buzztouch Android apps. So it might be the right time to shout a "Houston, we have a problem" message to the BT headquarters. Anyone listening? Best wishes Thomas

Just an update... Setting android:exported="false" did the trick. The app is life and the warning has disappeared. Thomas