Skip to main content
SpringerLink
Log in

Detection of SQLite Database Vulnerabilities in Android Apps

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10063))

Included in the following conference series:

Abstract

In this paper, we conduct a thorough study to analyze SQLite databases in android apps. These databases are inherently private and reside in the internal memory of an android device (restricting the access to users and other apps). Considering the SQLite database safe from external access i.e. users or other apps, developers pay less attention towards their security settings. This exposes them to vulnerabilities which may be utilized by attackers or malware writers to launch attacks such as stealing of data, tampering, etc. This paper reveals two such vulnerabilities detected in SQLite databases of android apps - storing sensitive data in plain-text and synchronization. This paper attempts to expose vulnerabilities of SQLite databases in android apps through demonstrating attacks. To evaluate the ubiquity of these vulnerabilities, we conducted the analysis of 18 popular android apps belonging to various categories by modeling the SQLite database of these apps. This study also contributes to the enhancement of future app development process by providing an insight to the developers regarding the deployment of better security settings. After a detailed assessment of risks involved in using databases, we also propose preliminary mitigation strategies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. CWE-312: Cleartext Storage of Sensitive Information. https://cwe.mitre.org/data/definitions/312.html. Accessed 23 Jan 2016

  2. Storage Options. https://developer.android.com/guide/topics/data/data-storage.html. Accessed 1 Mar 2016

  3. Application Threat Modeling. https://www.owasp.org/index.php/Application_Threat_Modeling. Accessed 4 Mar 2016

  4. OWASP Mobile Checklist Final 2016. https://drive.google.com/file/d/0BxOPagp1jPHWYmg3Y3BfLVhMcmc/view. Accessed 02 Mar 2016

  5. McCormick, Z., Schmidt, D.C.: Data synchronization patterns in mobile application design. In: Proceedings of the 19th Conference on Pattern Languages of Programs, p. 12. The Hillside Group (2012)

    Google Scholar 

  6. Transferring Data Using Sync Adapters. https://developer.android.com/training/sync-adapters/index.html. Accessed 28 Dec 2015

  7. Jain, V., Sahu, D.R., Tomar, D.S.: Session hijacking: threat analysis and countermeasures

    Google Scholar 

  8. A tool for reverse engineering Android apk files. https://ibotpeaches.github.io/Apktool/. Accessed 10 Jan 2016

  9. dex2jar. https://github.com/pxb1988/dex2jar. Accessed 11 Feb 2016

  10. Threat Risk Modeling. https://www.owasp.org/index.php/Threat_Risk_Modeling. Accessed 14 Apr 2016

  11. OWASP Risk Rating Methodology. https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology. Accessed 25 Apr 2016

  12. LINE: Free Calls Messages. https://play.google.com/store/apps/details?id=jp.naver.line.android&hl=en. Accessed 11 Feb 2016

  13. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, pp. 239–252. ACM (2011)

    Google Scholar 

  14. Enck, W., Ongtang, M., McDaniel, P.: Understanding android security. IEEE Secur. Priv. 1, 50–57 (2009)

    Article  Google Scholar 

  15. Li, L., Bartel, A., Bissyande, T., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: Iccta: detecting inter-component privacy leaks in android apps. In: IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE) (2015)

    Google Scholar 

  16. Lu, K., Li, Z., Kemerlis, V.P., Wu, Z., Lu, L., Zheng, C., Qian, Z., Lee, W., Jiang, G.: Checking more, alerting less: detecting privacy leakages via enhanced data-flow analysis and peer voting. In: NDSS (2015)

    Google Scholar 

  17. Jiang, Y.Z.X.: Detecting passive content leaks and pollution in android applications. In: Proceedings of the 20th Network and Distributed System Security Symposium (NDSS) (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Malaviya National Institute of Technology, Jaipur, India

    Vineeta Jain, M. S. Gaur & Vijay Laxmi

  2. LaBRI, CNRS, Bordeaux INP, University of Bordeaux, Talence, France

    Mohamed Mosbah

Authors
  1. Vineeta Jain
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. M. S. Gaur
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vijay Laxmi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mohamed Mosbah
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vineeta Jain .

Editor information

Editors and Affiliations

  1. Colorado State University, Fort Collins, Colorado, USA

    Indrajit Ray

  2. Malaviya National Institute of Technology, Jaipur, India

    Manoj Singh Gaur

  3. University of Padua, Padua, Italy

    Mauro Conti

  4. IIIT Delhi, Delhi, India

    Dheeraj Sanghi

  5. IIT Madras, Madras, India

    V. Kamakoti

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Jain, V., Gaur, M.S., Laxmi, V., Mosbah, M. (2016). Detection of SQLite Database Vulnerabilities in Android Apps. In: Ray, I., Gaur, M., Conti, M., Sanghi, D., Kamakoti, V. (eds) Information Systems Security. ICISS 2016. Lecture Notes in Computer Science(), vol 10063. Springer, Cham. https://doi.org/10.1007/978-3-319-49806-5_31

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-49806-5_31

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-49805-8

  • Online ISBN: 978-3-319-49806-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation