Skip to content

SQL Injection in Xiaomi Notes Application #38

New issue
New issue
Open
Open
SQL Injection in Xiaomi Notes Application#38
@ez-lbz

Description

@ez-lbz
ez-lbz
opened on Nov 13, 2025

SQL Injection in Xiaomi Notes Application

Executive Summary

A critical SQL injection vulnerability has been discovered in the Xiaomi Notes (Mi Notes) application's ContentProvider implementation. This vulnerability allows any third-party application to execute arbitrary SQL commands against the notes database without requiring any special permissions, potentially leading to unauthorized data access, modification, and deletion of user notes.

CRITICAL ANDROID VERSION IMPACT: This vulnerability is immediately exploitable on Android 4.1 and below (API < 17) where ContentProvider components are exported by default. On newer Android versions (4.2+), the vulnerability exists but requires the ContentProvider to be manually configured as exported.

Vulnerability Details

CVE ID: [To be assigned]
Severity: Critical (CVSS 3.1 Score: 9.8)
Affected Component: net.micode.notes.data.NotesProvider
Affected Method: increaseNoteVersion()
Vulnerability Type: SQL Injection via Improper Input Sanitization

Technical Description

The vulnerability exists in the increaseNoteVersion() method within the NotesProvider class, specifically at lines 287-291:

for (String args : selectionArgs) {
    selectString = selectString.replaceFirst("\\?", args);
}
sql.append(selectString);
mHelper.getWritableDatabase().execSQL(sql.toString());

The code performs manual string replacement of SQL placeholders instead of using parameterized queries, directly concatenating user input into SQL statements without proper sanitization or validation.

Root Cause Analysis

  1. Manual String Replacement: The application uses replaceFirst("\\?", args) to manually replace SQL placeholders
  2. Direct SQL Execution: The final SQL string is executed using execSQL() without parameterization
  3. No Input Validation: User-supplied input is directly concatenated into SQL statements
  4. Exported ContentProvider: The ContentProvider is exported without proper permission controls

Proof of Concept

Test Environment

  • Android Version: 10 (API Level 29) - Limited exploitation due to default security settings
  • Critical Note: This vulnerability is MOST DANGEROUS on Android 4.1 and below (API < 17) where ContentProvider is exported by default
  • Device: Testing performed on Android 10 with manually configured exported ContentProvider
  • Target Application: net.micode.notes (Xiaomi Notes)

Attack Vectors Tested

  1. Selection Parameter Injection: Successfully injected SQL through the selection parameter
  2. Condition Bypass: Successfully bypassed WHERE conditions using OR 1=1
  3. ContentValues Injection: Successfully injected malicious content through ContentValues
  4. SelectionArgs Injection: Demonstrated parameter replacement vulnerability

Test Results

Image

Successful Attack Outcomes:

  • Payload 1 (Selection Injection): ✅ Executed successfully, affected rows: 1
  • Payload 2 (Condition Bypass): ✅ Executed successfully, affected rows: 5 (bypassed WHERE condition)
  • Payload 3 (ContentValues Injection): ✅ Executed successfully, affected rows: 1
  • Verification: ✅ Confirmed malicious data insertion in database

Impact Assessment

Immediate Risks

  • Data Breach: Unauthorized access to all user notes and personal information
  • Data Manipulation: Ability to modify or delete existing notes
  • Data Injection: Insertion of malicious content into the notes database
  • Privacy Violation: Complete exposure of user's private notes and data

Attack Scenarios

  1. Malicious Apps: Any installed application can exploit this vulnerability without requesting special permissions
  2. Data Harvesting: Attackers can extract all notes data for identity theft or corporate espionage
  3. Data Corruption: Malicious modification or deletion of important user notes
  4. Persistent Attacks: Injection of malicious data that persists across app sessions

Affected Versions

  • Primary Target: Xiaomi Notes (net.micode.notes) - All versions containing the vulnerable NotesProvider implementation
  • Critical Android Version Dependency:
    • Android < 4.2 (API < 17): HIGHLY VULNERABLE - ContentProvider defaults to exported="true", making the SQL injection directly exploitable
    • Android 4.2+ (API 17+): POTENTIALLY VULNERABLE - ContentProvider defaults to exported="false", but vulnerability exists if manually configured as exported
  • Testing Recommendation: Testing on Android 4.1 and below is strongly recommended as these versions have ContentProvider exported by default, making this vulnerability immediately exploitable without any configuration changes

Android Version Security Impact Analysis

Critical Vulnerability Window

This vulnerability demonstrates a critical security regression in older Android versions:

Android Version API Level ContentProvider Default Exploitation Risk
≤ 4.1 (Jelly Bean) ≤ 16 exported="true" 🔴 CRITICAL - Immediately Exploitable
4.2 - 11 17-30 exported="false" 🟡 MEDIUM - Requires manual configuration
12+ 31+ Must declare explicitly 🟢 LOW - Explicit declaration required

Why Lower Versions Are Critical

  • No Permission Required: On Android ≤4.1, any app can access the ContentProvider without declaring permissions
  • Silent Exploitation: Users have no indication that their notes are being accessed
  • Legacy Device Risk: Many older devices still run these vulnerable Android versions
  • Enterprise Impact: Corporate environments often use older, "stable" Android versions

Reproduction Steps

For Android ≤4.1 (Direct Exploitation)

  1. Install Xiaomi Notes on Android 4.1 or below
  2. Install the provided SQL injection test APK (attached)
  3. Run the test application - no additional configuration needed
  4. Execute SQL injection payloads and verify successful exploitation

For Android 4.2+ (Requires Configuration)

  1. Install Xiaomi Notes with ContentProvider manually set to exported="true"
  2. Install the provided SQL injection test APK (attached)
  3. Run the test application and execute the SQL injection payloads
  4. Verify successful injection through the verification function

Note: The complete SQL injection test APK will be provided as an attachment to demonstrate the vulnerability.

Recommended Remediation

Immediate Actions Required

  1. Use Parameterized Queries: Replace manual string concatenation with proper parameterized queries
  2. Input Validation: Implement strict input validation and sanitization
  3. Permission Controls: Add proper permission requirements for ContentProvider access
  4. Security Review: Conduct comprehensive security audit of all database operations

Code Fix Example

// VULNERABLE CODE (Current)
for (String args : selectionArgs) {
    selectString = selectString.replaceFirst("\\?", args);
}
mHelper.getWritableDatabase().execSQL(sql.toString());

// SECURE CODE (Recommended)
mHelper.getWritableDatabase().update(TABLE.NOTE, values, selection, selectionArgs);

Disclaimer: This vulnerability report is submitted for the purpose of improving software security. The provided proof-of-concept code and APK should only be used for legitimate security testing and research purposes.

You could get the evil apk from: https://github.com/ez-lbz/-SQL-

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions