Just like web applications Android applications may use the untrusted input to construct SQL queries and do so in a way that's exploitable.