firebase-ios-sdk
firebase-ios-sdk copied to clipboard
firebase
DataTheorem flags “App Embeds SQL Query with Dynamic Input” in Firebase SDK
Description
Our security scanner Data Theorem is raising many findings of type “App Embeds SQL Query with Dynamic Input” that are coming from the Firebase iOS SDK, not from our own application code.
These findings are mapped by Data Theorem to Compliance:
- OWASP Mobile Top 10: M4 – Insufficient Input/Output Validation
- OWASP ASVS
In the Data Theorem report, the Vulnerable Code section shows SQL format strings such as:
UPDATE %@ SET %@ = %@ + %lld WHERE %@
SELECT count(1) FROM %@
SELECT * FROM %@ WHERE event_id=? LIMIT 1
DELETE FROM %@ WHERE %@
create TABLE IF NOT EXISTS %@%@ (_id INTEGER PRIMARY KEY, rmq_id TEXT, expiration_ts INTEGER, apns_recv INTEGER, mcs_recv INTEGER)
For one of the findings, Data Theorem shows the stack trace:
This finding was identified within the following SDKs: Firebase Analytics FirebaseAnalytics This string is referenced by -[APMSqliteStore increaseColumn:byValue:inTable:condition:parameterValues:error:] within the app binary.
Similar findings also appear for other Firebase modules (e.g. FirebaseMessaging, FIRMessagingRmqManager.m, etc.).
Our application itself does not build such SQL statements. All of these strings come from the Firebase SDK’s internal persistence/database layer, which we cannot modify.
Because our customer’s security team is using OWASP M4 / OWASP ASVS as compliance standards, they are asking us to either:
- Fix these issues in the app, or
- Provide an official statement/justification from Firebase that these queries are safe and not vulnerable to SQL injection.
We would like to ask for Firebase’s guidance on this.
Reproducing the issue
No response
Firebase SDK Version
12.6.0
Xcode Version
16.4
Installation Method
Swift Package Manager
Firebase Product(s)
Analytics, Crashlytics, Database, In-App Messaging, Messaging
Targeted Platforms
iOS
