The apps listed at the end of this email have a SQL Injection issue which can allow a malicious app to access affected database contents.
What's happening
One or more of your apps contain a SQL Injection vulnerability that must be fixed. Please refer to the notice on your Play Console for the deadline to fix this vulnerability. After this deadline, updates to affected apps will be blocked if the vulnerability is still present. Your published APK version will remain unaffected.
Action required
Implementations of query, update, and delete in exported ContentProviders can be vulnerable to SQL Injection if they pass unsanitized inputs to SQL statements. A malicious app can supply a crafted input to access private data or corrupt database contents. You can fix this problem in the following ways:
If an affected ContentProvider does not need to be exposed to other apps:
You can modify the tag of the affected ContentProvider in your Manifest to set android:exported="false". This will prevent other apps from sending Intents to the affected ContentProvider.
You can also set the android:permission attribute to be a permission with android:protectionLevel="signature" to prevent apps written by other developers from sending Intents to the affected ContentProvider.
If an affected ContentProvider needs to be exposed to other apps:
You can prevent SQL Injection into SQLiteDatabase.query by using SQLiteQueryBuilder.query in strictmode with a projection map. Strict mode protects against malicious selection clauses and projection map protects against malicious projection clauses. You must use both of these features to ensure that your queries are safe.
You can prevent SQL Injection into SQLiteDatabase.update and SQLiteDatabase.delete by using a selection clause that uses "?" as a replaceable parameter and a separate array of selection arguments. Your selection clause should not be constructed from untrusted inputs.
Next steps
Update your app using the steps highlighted above.
Sign in to your Play Console and submit the updated version of your app.
Check back after five hours. We'll show a warning message if the app hasn't been updated correctly.
We're here to help
If you have technical questions about the vulnerability, you can post to Stack Overflowand use the tag "android-security." For clarification on steps you need to take to resolve this issue, you can contact our developer support team.
Affected app(s)
Affected app(s) and version(s) are listed below, up to 20. You can sign in to the Play Console to view a full list of all affected apps and to find the relevant classes in your apps that contain the vulnerability.
Hello Google Play Developer,
The apps listed at the end of this email have a SQL Injection issue which can allow a malicious app to access affected database contents.
What's happening
One or more of your apps contain a SQL Injection vulnerability that must be fixed. Please refer to the notice on your Play Console for the deadline to fix this vulnerability. After this deadline, updates to affected apps will be blocked if the vulnerability is still present. Your published APK version will remain unaffected.
Action required
Implementations of query, update, and delete in exported ContentProviders can be vulnerable to SQL Injection if they pass unsanitized inputs to SQL statements. A malicious app can supply a crafted input to access private data or corrupt database contents. You can fix this problem in the following ways:
If an affected ContentProvider does not need to be exposed to other apps:
You can modify the tag of the affected ContentProvider in your Manifest to set android:exported="false". This will prevent other apps from sending Intents to the affected ContentProvider.
You can also set the android:permission attribute to be a permission with android:protectionLevel="signature" to prevent apps written by other developers from sending Intents to the affected ContentProvider.
If an affected ContentProvider needs to be exposed to other apps:
You can prevent SQL Injection into SQLiteDatabase.query by using SQLiteQueryBuilder.query in strictmode with a projection map. Strict mode protects against malicious selection clauses and projection map protects against malicious projection clauses. You must use both of these features to ensure that your queries are safe.
You can prevent SQL Injection into SQLiteDatabase.update and SQLiteDatabase.delete by using a selection clause that uses "?" as a replaceable parameter and a separate array of selection arguments. Your selection clause should not be constructed from untrusted inputs.
Next steps
Update your app using the steps highlighted above.
Sign in to your Play Console and submit the updated version of your app.
Check back after five hours. We'll show a warning message if the app hasn't been updated correctly.
We're here to help
If you have technical questions about the vulnerability, you can post to Stack Overflowand use the tag "android-security." For clarification on steps you need to take to resolve this issue, you can contact our developer support team.
Affected app(s)
Affected app(s) and version(s) are listed below, up to 20. You can sign in to the Play Console to view a full list of all affected apps and to find the relevant classes in your apps that contain the vulnerability.
org.domogik.domodroid 12 org.domogik.domodroid13 33