Discussion Forums  >  App Store Rejections

Replies: 2    Views: 49

sarahk
Code is Art
Profile
Posts: 153
Reg: Jul 16, 2014
Auckland
10,230
09/04/18 03:15 PM (2 weeks ago)

Play Store: SQL Injection Warning

Not quite a rejection but this has come through about my latest app

--------------------------------------------
SQL Injection
Your app(s) are using a content provider that contains a SQL Injection vulnerability.
--------------------------------------------

I can see that BT_contentProvider uses a SqlliteDatabase - BT_database and that class extends SQLiteOpenHelper

Is this notice telling us that SQLiteOpenHelper needs to be replaced?
or that we're using it wrongly?

I'm happy to use prepared statements instead, I just don't have an understanding of where they're meant to be and what they're really doing. The only thing being saved is the config file afaik.

Has anyone else had this warning and what have you done to resolve the problem?
 
tompos
Veteran developer
Profile
Posts: 95
Reg: Oct 19, 2013
Würzburg
7,050
like
09/09/18 03:02 AM (1 week ago)
Hi Sarah,

I just received the same warning/rejection for a newly uploaded Android app. I made the same research steps... and don't want to dive too much into the SQL sources (at least in this aspect that I dont understand too much).

My question: Did you follow the link that was given in the rejection notice (https://support.google.com/faqs/answer/7668308). Here, they propose to set android:exported="false" in Manifest.xml if the app does not allow other apps to use the ContentProvider externally. That might be an easy way to solve the problem.

But as far as I can see, this issue should show up for _all_ Buzztouch Android apps. So it might be the right time to shout a "Houston, we have a problem" message to the BT headquarters. Anyone listening?

Best wishes
Thomas
 
tompos
Veteran developer
Profile
Posts: 95
Reg: Oct 19, 2013
Würzburg
7,050
like
09/19/18 04:05 AM (3 days ago)
Just an update...

Setting android:exported="false" did the trick. The app is life and the warning has disappeared.

Thomas
 

Login + Screen Name Required to Post

pointerLogin to participate so you can start earning points. Once you're logged in (and have a screen name entered in your profile), you can subscribe to topics, follow users, and start learning how to make apps like the pros.