Anyone can send untrusted data to a mobile app, including external users, internal users, the application itself, or other malicious apps on the mobile device. An adversary loads simple text-based attacks that exploit the syntax of the targeted interpreter within the mobile app. Almost any source of data can be an injection vector. The best way to find out if an application is vulnerable to injection is to identify the sources of input and validate that the user/application supplied data is being subject to input validation, disallowing code injection. Checking the code is a fast and accurate way to see if the application is handling the data correctly. Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application. Manual penetration testers can confirm these issues by crafting exploits that confirm the vulnerability.
Since data can come from many sources in mobile applications, it is important to list them delineated by what they are trying to achieve. In general, injection attacks on mobile devices target the data on the device, mobile users’ session, application interfaces or functions, and the binary code. Protecting the application from client side injection requires looking at all the areas the application can receive data from and applying some sort of input validation.