Client Side Injections holds 7th position in OWASP Mobile Top 10
to mobile applications cookies. If you have your Google account attached to device
then you can use your Google account in Android Browser without authentication.
Several application interfaces or language functions can accept data and can be fuzzed to make applications crash. While most of these flaws do not lead to overflows because of the phone’s platforms being managed code, there have been several that have been used as a “userland” exploit in an exploit chain aimed at rooting or jailbreaking devices.
How To Fix
- SQL Injection: When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.
- Local File Inclusion: Verify that File System Access is disabled for any WebViews (webview.getSettings().setAllowFileAccess(false);).
- Intent Injection/Fuzzing: Verify actions and data are validated via an Intent Filter for all Activities.