Transmission of sensitive information in SQL query parameters

		INFO
	Detection method	DAST         SQL

Description

An application uses sensitive information when sending queries to the database. SQL query interception is not a vulnerability if measures are used to detect application tooling using tools such as Frida or Xposed, root access checks are performed, and the database storing sensitive information is  encrypted using a strong password.

Intercepted data is used by Mobix to search for the intercepted  value in the collected data.

Recommendations

To protect against runtime password interception, it is necessary to use protection measures to detect application tooling and root access detection. One of the good ways is to use the  DetectFrida and DetectMagiskHide. These libraries implement checks in native code. This makes their analysis and modification much more difficult.

Links

1. https://github.com/sqlcipher/android-database-sqlcipher

2. https://github.com/darvincisec/DetectMagiskHide

3. https://github.com/darvincisec/DetectFrida

4. https://darvincitech.wordpress.com/2019/12/23/detect-frida-for-android/

5. https://darvincitech.wordpress.com/2019/11/04/detecting-magisk-hide/

6. https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#sqlite-databases-encrypted