MASTG walkthrough - OMTG_CODING_003_SQL_Injection

• https://github.com/OWASP/MSTG-Hacking-Playground/wiki/Android-App#omtg_coding_003_sql_injection
• https://github.com/OWASP/MSTG-Hacking-Playground/tree/master/Android/MSTG-Android-Java-App/app

The intent here is to show that SQL injection is also possible locally on an Android Device. Even if the risk is only locally on the device itself, prepared statements should always be used to mitigate SQL Injection.

Vulnerable code

Secure code with prepared statements

Bypass the login

Tools used

• https://developer.android.com/studio/command-line/adb
• https://github.com/skylot/jadx