How to check an Android Application for SQL Injection or XSS bugs?

Question

I was just wondering how could i check my client's Android application for SQL Injection or other similar kind of bugs.

I mean if its an application, where should i write the queries. If through ADB, then how?

SANS course SEC 575 covers this quite well :D https://www.sans.org/security-training/mobile-device-security-ethical-hacking-1671-mid — adric, May 17 '12 at 14:39

score 3 · Accepted Answer · edited Mar 17 '17 at 10:46

3

SQL injection requires that some part of the application can take input and be persuaded to pass it to a database as SQL commands, so testing all input fields with your SQL test strings is key.

John S's question on how to test for SQL injection on input fields is relevant whether those fields are in an application or on a website.

edited Mar 17 '17 at 10:46

Community

1

answered May 17 '12 at 07:51

Rory Alsop

61,367
12
115
320

score 0 · Answer 2 · answered May 17 '12 at 18:30

0

Check out the DB browser app, depending on the nature of the sqlite db in the app you can manually connect to the db and insert your own queries into it. For xss that by definition requires a user input so just test as normal, right?

answered May 17 '12 at 18:30

KDEx

4,981
2
20
34

How to check an Android Application for SQL Injection or XSS bugs?

2 Answers2