It is widely known how dangerous using unsanitized data in SQL queries can be. Apart from not appending user’s provided data to an SQL query, another valid and secure alternative would be to use parametrized queries. One could think that just by using the Content Resolver provided by Android, SQL queries would be automatically protected, but that’s false if it’s used wrong. If arguments are directly concatenated to a Content Resolver’s selection parameter, this action could lead to an SQL injection attack.
Our AppSec team has faced the SQLCipher library during some recent security audits of mobile applications. According to their GitHub README: SQLCipher extends the SQLite database library to add security enhancements that make it more suitable for encrypted local data storage such as on-the-fly encryption, tamper evidence, and key derivation. Based on SQLite, SQLCipher closely tracks SQLite and periodically integrates stable SQLite release features. This means that, even in the case of a rooted device, information stored in the database will not be accessible by third parties because it is encrypted, unless you can somehow obtain the encryption key.
Recently, a new zero-day vulnerability was made public following a Tweet from @SandboxEscaper, who claimed to be frustrated with Microsoft and their bug submission process. The tweet includes a Github link with a proof of concept of the process, where after some tries, we can see in the image below that it works like a charm, giving us SYSTEM privileges in any Windows machine. We tested it on an updated Windows 10 machine.