wmathurin
commented
4 months ago SQOL is not SQL: it does not give you information about the physical DBMS that Salesforce uses. Instead it gives a view of the records and fields the user it authorized to view. The request needs to be authorized .
Requests to the SOQL query API end point must have an authorization header. The Mobile SDK takes care of adding the access token it got during login or refresh flow to outgoing requests. Without it, a request gets a 401 from the server. Mobile SDK also takes care of encrypting the tokens at rest.
The access token could be intercepted if you have physical access to a rooted / unlocked device or by doing a Man-In-The-Middle attack. There are ways to protect against those scenarios but there are outside the scope of the Mobile SDK (but there are available as part of enhanced security for Salesforce Mobile App).
Here is a paper discussing the security in the Salesforce Mobile App. Salesforce Mobile App is built on top of Mobile SDK so a lot of what the paper covers actually comes from the Mobile SDK and is therefore applicable to you.
I hope that helped. Let us know if you have any more questions.
StarrySite
Please fill out the following details:
We are using MobileSync and SalesforceRest API services for communicating with SF backend. Our application went through the Dynamic Application Security Test (DAST). The team noted the issue of exposing SOQL queries in web service request with the following impact.
Please let us know whether we have any mechanism in Salesforce SDK to prevent this issue. or Let us know how the security is ensured when using Salesforce SDK.