Recently while source code audit of my android application auditors have raised few points like path manipulation, privacy violation attacks?
I have been searching for proper solutions since last few days but couldn't find any fruitful solution. Please provide me solutions for below queries.
1. File f = new File("filepath");
how to prevent attacker from manipulating filepath ?
2. private void selectDataFromDB(String param1,String param2){
sqlitedatabase.query("Select * from tbl1 where col1 LIKE ? and colu2 LIKE ?",new String[]{param1,param2});
}
how to validate parameters such that attacker cannot change this parameter ? Input sanitization ? How to apply it?
Edit1:
The method selectDataFromDB() in MyActivity.java mishandles confidential information, which can compromise user privacy and is often illegal.
You don't need to sanitize inputs when you use query parameters. That's one of the best reasons to use parameterized SQL statements. It's not possible for the value of a query parameter to change the SQL syntax.
It's possible that your auditors don't understand how SQL injection works.