cleartext traffic
IzzySoft opened this issue · comments
My scanner just got its hands on today's update and reported:
! repo/com.dergoogler.mmrl_1138.apk declares flags: usesCleartextTraffic
This is just a warning (the update was still published), but could you please let me know why you've set that flag? By default, it's turned off, so you'll have had a reason for enabling that. Thanks in advance!
That might a mistake while I was upgrading Gradle, didn't even knew that such thing exists.
The application has android:usesCleartextTraffic set to true, which allows it to access resources that do not use encryption, a situation that could be exploited by an attacker to perform MitM attacks and compromise the confidentiality and integrity of the application.
Source
I will offer an update so fast I can.
That might a mistake while I was upgrading Gradle, didn't even knew that such thing exists.
Ah, OK. I thought the intention might have been to support "local repos" (for hosting one's preferred modules within the own home network, where https might be a bit overkill and getting a proper certificate even difficult), in which case it would totally make sense.
I will offer an update so fast I can.
No stress, the "alert" will only pop up again when a new release is being pulled. And it's just a warning. Sure, if it's not needed it shouldn't be there – but before removing it better be sure it is not needed. I don't think (m)any people will host any repositories locally, though, so removing could be fine.
Leaving the decision to you. I just need to know if I should add that flag to your app's allow-list (if it's needed) or not (otherwise, so we get another warning should it "sneak back in").
That might a mistake while I was upgrading Gradle, didn't even knew that such thing exists.
Ah, OK. I thought the intention might have been to support "local repos" (for hosting one's preferred modules within the own home network, where https might be a bit overkill and getting a proper certificate even difficult), in which case it would totally make sense.
I will offer an update so fast I can.
No stress, the "alert" will only pop up again when a new release is being pulled. And it's just a warning. Sure, if it's not needed it shouldn't be there – but before removing it better be sure it is not needed. I don't think (m)any people will host any repositories locally, though, so removing could be fine.
Leaving the decision to you. I just need to know if I should add that flag to your app's allow-list (if it's needed) or not (otherwise, so we get another warning should it "sneak back in").
"Local repos" are just the saved repo data.
[
{
"name": "Magisk Modules Alt Repo",
"website": "https://github.com/Magisk-Modules-Alt-Repo",
"support": "https://github.com/Magisk-Modules-Alt-Repo/json/issues",
"donate": null,
"submitModule": null,
"last_update": 1690995729000,
"modules": "https://gr.dergoogler.com/magisk/mmar.json"
}
]
"Local repos" are just the saved repo data.
I thought of that in a different way, like:
[
{
"name": "My personal Repo",
"website": "http://192.168.1.15/magisk",
"support": null,
"donate": null,
"submitModule": null,
"last_update": 1690995729000,
"modules": "http://192.168.1.15/magisk.json"
}
]
But as already mentioned, that would be a rare edge-case. And you decided already – so yes, better security that way, thanks!