SQL Injection
Application Security is a primary concern of every mobile application developer whether it is iPhone app, iPad app, Universal app in iOS, Android app, Blackberry app, Windows Phone app or tablet app. And most of the vulnerability attacks are due to client side SQL injection in applications. So methods to find and prevent client side SQL injection should be always on top of the mind of iOS developers.
Let’s see first What is SQL Injection?
SQL Injection is type of security attack in which an attacker is able to insert malicious code (crafted Data) as part of database SQL commands (SQL Query) which is executed by the application and exploits security vulnerability of the application at database layer.
SQL Injection permits an attacker to create, alter, update, read or delete the stored data available in the back-end database.
When SQL Injection occurs?
SQL Injection occurs when data entered by user is directly sent as a part of SQL query to the SQL interpreter without handling proper validations and without authenticating the user against a set of rules.
What attacker can do with SQL Injection?
Attacker uses crafted data (malicious data) as user input to the SQL interpreter in such manner that SQL interpreter will not be able to distinguish between intended data and attacker’s specially crafted data.
How to prevent it?
SQL injection can be prevented if you use an input validation technique in which user input is authenticated against a set of defined rules for length, type, and syntax and also against business rules.
Properly handle user input data, for example, remove special characters.
By using strongly typed parameterized query APIs with placeholder substitution markers.
How to prevent it in iOS Application?
When designing queries for SQLite we have to be sure that user supplied data is validated against some predefine rules and being passed to a parameterized query. This can be identified by looking for the format specifier used.