Abstract
In this paper, we conduct a thorough study to analyze SQLite databases in android apps. These databases are inherently private and reside in the internal memory of an android device (restricting the access to users and other apps). Considering the SQLite database safe from external access i.e. users or other apps, developers pay less attention towards their security settings. This exposes them to vulnerabilities which may be utilized by attackers or malware writers to launch attacks such as stealing of data, tampering, etc. This paper reveals two such vulnerabilities detected in SQLite databases of android apps - storing sensitive data in plain-text and synchronization. This paper attempts to expose vulnerabilities of SQLite databases in android apps through demonstrating attacks. To evaluate the ubiquity of these vulnerabilities, we conducted the analysis of 18 popular android apps belonging to various categories by modeling the SQLite database of these apps. This study also contributes to the enhancement of future app development process by providing an insight to the developers regarding the deployment of better security settings. After a detailed assessment of risks involved in using databases, we also propose preliminary mitigation strategies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
CWE-312: Cleartext Storage of Sensitive Information. https://cwe.mitre.org/data/definitions/312.html. Accessed 23 Jan 2016
Storage Options. https://developer.android.com/guide/topics/data/data-storage.html. Accessed 1 Mar 2016
Application Threat Modeling. https://www.owasp.org/index.php/Application_Threat_Modeling. Accessed 4 Mar 2016
OWASP Mobile Checklist Final 2016. https://drive.google.com/file/d/0BxOPagp1jPHWYmg3Y3BfLVhMcmc/view. Accessed 02 Mar 2016
McCormick, Z., Schmidt, D.C.: Data synchronization patterns in mobile application design. In: Proceedings of the 19th Conference on Pattern Languages of Programs, p. 12. The Hillside Group (2012)
Transferring Data Using Sync Adapters. https://developer.android.com/training/sync-adapters/index.html. Accessed 28 Dec 2015
Jain, V., Sahu, D.R., Tomar, D.S.: Session hijacking: threat analysis and countermeasures
A tool for reverse engineering Android apk files. https://ibotpeaches.github.io/Apktool/. Accessed 10 Jan 2016
dex2jar. https://github.com/pxb1988/dex2jar. Accessed 11 Feb 2016
Threat Risk Modeling. https://www.owasp.org/index.php/Threat_Risk_Modeling. Accessed 14 Apr 2016
OWASP Risk Rating Methodology. https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology. Accessed 25 Apr 2016
LINE: Free Calls Messages. https://play.google.com/store/apps/details?id=jp.naver.line.android&hl=en. Accessed 11 Feb 2016
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, pp. 239–252. ACM (2011)
Enck, W., Ongtang, M., McDaniel, P.: Understanding android security. IEEE Secur. Priv. 1, 50–57 (2009)
Li, L., Bartel, A., Bissyande, T., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: Iccta: detecting inter-component privacy leaks in android apps. In: IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE) (2015)
Lu, K., Li, Z., Kemerlis, V.P., Wu, Z., Lu, L., Zheng, C., Qian, Z., Lee, W., Jiang, G.: Checking more, alerting less: detecting privacy leakages via enhanced data-flow analysis and peer voting. In: NDSS (2015)
Jiang, Y.Z.X.: Detecting passive content leaks and pollution in android applications. In: Proceedings of the 20th Network and Distributed System Security Symposium (NDSS) (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Jain, V., Gaur, M.S., Laxmi, V., Mosbah, M. (2016). Detection of SQLite Database Vulnerabilities in Android Apps. In: Ray, I., Gaur, M., Conti, M., Sanghi, D., Kamakoti, V. (eds) Information Systems Security. ICISS 2016. Lecture Notes in Computer Science(), vol 10063. Springer, Cham. https://doi.org/10.1007/978-3-319-49806-5_31
Download citation
DOI: https://doi.org/10.1007/978-3-319-49806-5_31
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49805-8
Online ISBN: 978-3-319-49806-5
eBook Packages: Computer ScienceComputer Science (R0)