CWE: SQL Injection & Insufficiently Random Values

[sizhe-eb]

Description

SQL Injection & Insufficiently Random Values vulnerability

Repro Steps

• Use Mobile Security Framework Mobsf to test the APK file
• Start the Static Analysis and check the Security Analysis -> Code Analysis

Details

1. Which version of the App Center SDK are you using?
   • v5.0.1
2. Which OS version did you experience the issue on?
   • Android 8.2.1
3. What device version did you see this error on? Were you using an emulator or a physical device?
   • N/A
4. What third party libraries are you using?
   • example
5. Run the following command and paste the output below: react-native info

System:
OS: macOS 14.4.1
CPU: (8) arm64 Apple M1
Memory: 117.25 MB / 16.00 GB
Shell:
version: "5.9"
path: /bin/zsh
Binaries:
Node:
version: 18.15.0
path: /usr/local/bin/node
Yarn:
version: 4.2.2
path: /usr/local/bin/yarn
npm:
version: 9.8.0
path: /opt/homebrew/bin/npm
Watchman:
version: 2023.11.20.00
path: /opt/homebrew/bin/watchman
Managers:
CocoaPods:
version: 1.15.2
path: /opt/homebrew/opt/ruby/bin/pod
SDKs:
iOS SDK:
Platforms:
- DriverKit 23.5
- iOS 17.5
- macOS 14.5
- tvOS 17.5
- visionOS 1.2
- watchOS 10.5
Android SDK:
API Levels:
- "28"
- "29"
- "31"
- "33"
- "34"
Build Tools:
- 28.0.3
- 29.0.0
- 29.0.2
- 30.0.2
- 30.0.3
- 33.0.0
- 33.0.1
- 34.0.0
System Images:
- android-28 | Google APIs ARM 64 v8a
- android-30 | Google APIs ARM 64 v8a
- android-33 | Google APIs ARM 64 v8a
- android-34 | Google APIs ARM 64 v8a
- android-UpsideDownCakePrivacySandbox | Google Play ARM 64 v8a
Android NDK: Not Found
IDEs:
Android Studio: 2022.2 AI-222.4459.24.2221.10121639
Xcode:
version: 15.4/15F31d
path: /usr/bin/xcodebuild
Languages:
Java:
version: 17.0.9
path: /usr/bin/javac
Ruby:
version: 3.2.2
path: /opt/homebrew/opt/ruby/bin/ruby
npmPackages:
"@react-native-community/cli": Not Found
react:
installed: 18.2.0
wanted: 18.2.0
react-native:
installed: 0.74.1
wanted: 0.74.1
react-native-macos: Not Found
npmGlobalPackages:
"react-native": Not Found
Android:
hermesEnabled: true
newArchEnabled: false
iOS:
hermesEnabled: true
newArchEnabled: false

Related file:
SQL Injection:

• DatabasePersistence.java
• DatabaseManager.java
  Insufficiently Random Values
• HttpClientRetryer.java

Source Code

DatabasePersistence.java
import android.database.sqlite.SQLiteDatabase;
import android.database.sqlite.SQLiteFullException;
import android.database.sqlite.SQLiteQueryBuilder;
public void onCreate(SQLiteDatabase db) {db.execSQL(DatabasePersistence.CREATE_PRIORITY_INDEX_LOGS);}

DatabaseManager.java
import android.database.sqlite.SQLiteDatabase;
import android.database.sqlite.SQLiteFullException;
import android.database.sqlite.SQLiteOpenHelper;
import android.database.sqlite.SQLiteQueryBuilder;
public void onCreate(SQLiteDatabase db) {
db.execSQL(sqlCreateCommand);
DatabaseManager.this.mListener.onCreate(db);
}

HttpClientRetryer.java
package com.microsoft.appcenter.http;
import android.os.Handler;
import android.os.Looper;
import com.microsoft.appcenter.http.HttpClient;
import com.microsoft.appcenter.utils.AppCenterLog;
import java.net.UnknownHostException;
import java.util.Map;
import java.util.Random;  // <---- This line
import java.util.concurrent.TimeUnit;

[sizhe-eb]

I emailed the security team but have not received a response, so I created a new issue hoping to get a reply, thanks!

[DmitriyKirakosyan]

Hi @sizhe-eb , thank you for the report!

These alerts seem to be false positive to me.

The "Insufficiently Random Values" alert references the HttpClientRetryer file, which uses random values in a non-security context, specifically for creating timeouts for retries.

The SQL Injection alert references raw SQL executions. However, all such executions use predefined query constants without any user input.

[sizhe-eb]

Hi @DmitriyKirakosyan , thanks for your reply!
Is it possible to use java.security.Random instead of java.util.Random?