Cleartext network traffic allowed in AndroidManifest.xml

I have found the android:usesCleartextTraffic setting in the AndroidManifest.xml to be set to "true". The app should not be able to send cleartext traffic to network endpoints.

The only relevant unencrypted resource I found in the source code is http://goolag.store:1337/api/auth. It is set as a constant URL_DISPENSER here and is referenced here and here. It seems to be responsible for establishing the anonymous Google Play Store session.

I have not conducted further research on this, but transmitting authentication data over an unencrypted channel is not a very good idea, even if the authentication data is only used for a shared anonymous account.

@whyorean Could you please elaborate on this?