All geek questions in one place

Prevent using SQLI ATTACKS on your iPhone?

I always take precautions regarding SQL INJECTION ATTACKS when data is stored between someone on the iPhone and a remote database in the cloud.

But is it also necessary to do the same ... when you just save data (using sqlite) from someone on a cell phone to a database that is only on their own phone?

The worse they can do it? Delete your own data (or tables) on your phone? (If they really try hard.)

Thanks.

+4
source share
3 answers

  • It's necessary? - Yes, its "necessary", that is, probably worth it. Even if in this context you do not care about security (which may be fair), you must worry about correctness (at least in its pride).

  • What could be the worst?

    • User # 1 Patty O'Brian enters his name into the field that translates the SQL call, and it fails. The program either does not cope with this, or the user receives an ambiguous error message, due to which it failed.
    • User # 2 enters a name that translates the SQL call, and it succeeds! The program is in an unknown state.

    In any case, now the user maintains contacts and eats time and energy (user # 2 never admits what they did, which makes debugging even more difficult) and / or requires the return of his money.

+2
source

Yes, it is necessary, IMHO.

  • Most Injection Attacks Can Be Prevented by Correctness
    SQL placeholders and related variables, for example, process both unexpectedly generated input (for example, the innocent apostrophe in "5 o'clock" ) and malicious input (for example, "' OR 1=1 --" ).
    So, be careful about data processing and don't worry about most injections.

  • Injections can undermine application logic
    SQLite has triggers, I think, but in any case, the application can make decisions based on data extracted from the local db, attacking other facets of the environment, etc. If today the application is not complicated enough for this, tomorrow there will be rev rev.

  • Someone can use a (attacking) phone, not just an authorized user
    True, this is a common risk, for example, for a desktop computer that is authenticated in StackOverflow. However, I believe that smartphone applications are more at risk of unintended operators: many phones do not have an access code, many applications do not require frequent re-authentication, and users can freely send their phones to those who just need to make a quick call.

+1
source

If you are syncing an iPhone database with a remote database , do not trust the content . Database injection does not require SQL Injection. Jailbroken iPhone gives the user full access to the entire file system, which includes the sqlite database file, so this can be changed, however the attacker wants to. This is not sql injection, it is a client side vulnerability.

SQL injection under sqlite is useful to an attacker. Unlike MySQL, Sqlite allows you to stack queries, so an attacker can always create / delete / insert / update / delete / select / etc. no matter what query is affected by SQL injection. In MySQL, it is common to select subsets or joins to select specific data, but for example, you cannot turn a select statement into an insert under normal conditions.

0
source

Source: https://habr.com/ru/post/1307084/

More articles:


All Articles