We trust in security

Blog

We trust in security - Blog
Roxana Gogonea
An unusual case of Client SQL Injection

It is widely known how dangerous using unsanitized data in SQL queries can be. Apart from not appending user’s provided data to an SQL query, another valid and secure alternative would be to use parametrized queries. One could think that just by using the Content Resolver provided by Android, SQL queries would be automatically protected, but that’s false if it’s used wrong. If arguments are directly concatenated to a Content Resolver’s selection parameter, this action could lead to an SQL injection attack.

Clara Villalba
Ackcent attends the International RSA Conference once again

RSA Conference 2019 is taking place this week at Moscone Center in San Francisco (USA). This year’s leitmotiv is just one word: Better, which means working hard and find better solutions, and making better connections with cybersecurity professionals from around the world. In brief, keeping the digital world safe so that everyone can get on with making the real world a better place. The conference, which attracts over 50.

Toni Torralba
Recovering SQLCipher encrypted data with Frida

Our AppSec team has faced the SQLCipher library during some recent security audits of mobile applications. According to their GitHub README: SQLCipher extends the SQLite database library to add security enhancements that make it more suitable for encrypted local data storage such as on-the-fly encryption, tamper evidence, and key derivation. Based on SQLite, SQLCipher closely tracks SQLite and periodically integrates stable SQLite release features. This means that, even in the case of a rooted device, information stored in the database will not be accessible by third parties because it is encrypted, unless you can somehow obtain the encryption key.