Security issue with DBFlow

Hello, I am developing an expo app, which is on my employer’s expo pro account, this app was developed using expo sdk 33.0.0, and I built an android binary(apk) for a client to do some security testing in this apk, using VERACODE (https://www.veracode.com/) software. To do this, I eject my project and choose to use Expokit, and the result was that we are getting a security issue with SQL Injection, as you can see below:

So I researched this issue and found that this FlowSQLiteOpenHelper.java file is from DBFlow, I read from Expo documents that in Expo sdk 35.0.0, dbflow has been removed from the app/build.gradle.

So I performed expo upgrade and checked the instructions to verify it was all right. Then I ejected my project again, and chose to use Expokit, to generate a new binary android (apk), to repeat the security test in VERACODE, and the result was that we are still getting a security issue with SQL Injection, and now we have another issue, Untrusted Initialization.

My app is in production and I need to fix this issue, can you help me how can I do this?

Expo diagnostics:
Expo CLI 3.8.0 environment info:
System:
OS: macOS 10.14.6
Shell: 5.3 - /bin/zsh
Binaries:
Node: 10.16.0 - /usr/local/bin/node
Yarn: 1.17.3 - /usr/local/bin/yarn
npm: 6.10.1 - /usr/local/bin/npm
Watchman: 4.9.0 - /usr/local/bin/watchman
IDEs:
Android Studio: 3.5 AI-191.8026.42.35.5791312
Xcode: 10.3/10G8 - /usr/bin/xcodebuild
npmPackages:
expo: ^35.0.0 => 35.0.1
react: 16.8.3 => 16.8.3
react-native: https://github.com/expo/react-native/archive/sdk-35.0.0.tar.gz => 0.59.8
react-navigation: 3.0.9 => 3.0.9
npmGlobalPackages:
expo-cli: 3.8.0

1 Like

Hey @joaogabrielsg,

I responded further on the github issue that was created for this. We’ll continue the discussion there.

Cheers,
Adam