Analysis of an SQL Injection in Android SMS/MMS Storage Component

The research describes a vulnerability in the MmsProvider, SmsProvider and MmsSmsProvider components of Android, where the request handler using ContentResolver.query() failed to validate bracket pairing in the selection parameter. This allowed an app with SMS/MMS read permission to perform an SQL injection bypassing built‑in filters and gain access to private messages.

The issue was fixed in patch 98ddf9f, which adds mandatory validation for bracketing in SQLiteTokenizer.

📎 Article: https://mp.weixin.qq.com/s/ueEFKrQCKFJpq7QGTe94Dg

💬 Discuss