Giters

DerGoogler / MMRL

Introducing Magisk Module Repo Loader (MMRL) - the ultimate module manager for Magisk, KernelSU and APatch on Android. This highly configurable app allows users to manage modules effortlessly, all while being completely free of ads.

Home Page:https://mmrl.dergoogler.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

cleartext traffic

IzzySoft opened this issue · comments

commented

My scanner just got its hands on today's update and reported:

! repo/com.dergoogler.mmrl_1138.apk declares flags: usesCleartextTraffic

This is just a warning (the update was still published), but could you please let me know why you've set that flag? By default, it's turned off, so you'll have had a reason for enabling that. Thanks in advance!

commented

That might a mistake while I was upgrading Gradle, didn't even knew that such thing exists.

The application has android:usesCleartextTraffic set to true, which allows it to access resources that do not use encryption, a situation that could be exploited by an attacker to perform MitM attacks and compromise the confidentiality and integrity of the application.
Source

I will offer an update so fast I can.

commented

That might a mistake while I was upgrading Gradle, didn't even knew that such thing exists.

Ah, OK. I thought the intention might have been to support "local repos" (for hosting one's preferred modules within the own home network, where https might be a bit overkill and getting a proper certificate even difficult), in which case it would totally make sense.

I will offer an update so fast I can.

No stress, the "alert" will only pop up again when a new release is being pulled. And it's just a warning. Sure, if it's not needed it shouldn't be there – but before removing it better be sure it is not needed. I don't think (m)any people will host any repositories locally, though, so removing could be fine.

Leaving the decision to you. I just need to know if I should add that flag to your app's allow-list (if it's needed) or not (otherwise, so we get another warning should it "sneak back in").

commented

That might a mistake while I was upgrading Gradle, didn't even knew that such thing exists.

Ah, OK. I thought the intention might have been to support "local repos" (for hosting one's preferred modules within the own home network, where https might be a bit overkill and getting a proper certificate even difficult), in which case it would totally make sense.

I will offer an update so fast I can.

No stress, the "alert" will only pop up again when a new release is being pulled. And it's just a warning. Sure, if it's not needed it shouldn't be there – but before removing it better be sure it is not needed. I don't think (m)any people will host any repositories locally, though, so removing could be fine.

Leaving the decision to you. I just need to know if I should add that flag to your app's allow-list (if it's needed) or not (otherwise, so we get another warning should it "sneak back in").

"Local repos" are just the saved repo data.

[
    {
        "name": "Magisk Modules Alt Repo",
        "website": "https://github.com/Magisk-Modules-Alt-Repo",
        "support": "https://github.com/Magisk-Modules-Alt-Repo/json/issues",
        "donate": null,
        "submitModule": null,
        "last_update": 1690995729000,
        "modules": "https://gr.dergoogler.com/magisk/mmar.json"
    }
]
commented

"Local repos" are just the saved repo data.

I thought of that in a different way, like:

[
    {
        "name": "My personal Repo",
        "website": "http://192.168.1.15/magisk",
        "support": null,
        "donate": null,
        "submitModule": null,
        "last_update": 1690995729000,
        "modules": "http://192.168.1.15/magisk.json"
    }
]

But as already mentioned, that would be a rare edge-case. And you decided already – so yes, better security that way, thanks!