Some SQL injection in Android – how to use GROUP BY and CASE when you are not allowed to do so
98 February 2012 by ludovicianul
I suppose you’re all familiar with the “academic” examples of SQL injection when you put a AND 1=1 at the end of the SQL query and magically you get access to all kind of nasty things. I’ll show you how to use the same trick to do a SQL injection in Android, but for a good thing 
I had the following situation: I’ve wanted to select group all the calls from the call log either by the caller name if the number was in the agenda or by number if the number was not in the agenda. To do this you need a content resolver, a URI and a projection to tell Android which columns you want to select. A typical call will look as follows:
getContentResolver().query(CallLog.Calls.CONTENT_URI,
new String[] { projection}, selection, new String[]
{selectionArgs}, sortOrder)
As you notice there is no way of telling android how to group the rows. But we can trick it:
getContentResolver().query(CallLog.Calls.CONTENT_URI, new String[]
{"_id", "name", "number",
"duration","type", "numbertype", MAX(date) AS date",
"(CASE WHEN name=null THEN name ELSE number END) as logname"},
" 1=1 ) GROUP BY (logname",null,null);
You can notice the 1=1 ) GROUP by (logname String placed as the selection argument. This is why the magic happens. 
Also notice the syntax for the CASE statement that conditionally selects the number or the name. You can further use it in any place you need conditional select of the columns.
Happy Android programming!
[...] I suppose you’re all familiar with the “academic” examples of SQL injection when you put a AND 1=1 at the end of the SQL query and magically you get access to all kind of nasty things. I’ll show you how to use the same trick to do a SQL injection in Android, but for a good thing. Database Read the original post on DZone… [...]
I wonder whether Android programmers nowadays really care about security when it comes to their code, especially SQL injection. Google should have an automated tool that will test apps for SQL injection or something….
… [Trackback]…
[...] Read More: insidecoding.wordpress.com/2012/02/08/some-sql-injection-in-android-how-to-use-group-by-and-case-when-you-are-not-allowed-to-do-so/ [...]…
Does not work on IceCreamSandwitch.
Tested up to Android 2.3.6.
I’ll give it a try on ICS to see what’s “wrong”.
Good one !!! kudos … Does it work for ICS btw?
i have just fired this query :
Uri uriSms = Uri.parse(“content://sms”);
Cursor cursor = getContentResolver().query(uriSms, new String[] {“address”,”max(date)”}, ” 1=1 ) GROUP BY ( address”, null, null);
cursor.moveToFirst();
android.util.Log.i(“COLUMNS”, Arrays.toString(cursor.getColumnNames()));
String [] columns= cursor.getColumnNames();
on my s3 (ics) and it works great
MWR Labs (Security Company that rocks, some of the developers of pieces contributed to the project worked at Samsung) has an awesome tool for doing just that
http://labs.mwrinfosecurity.com/tools/2012/03/16/mercury/demo/
Hi there everyone, it’s my first visit at this website, and paragraph is genuinely fruitful for me, keep up posting such posts.