Cleartext network traffic allowed in AndroidManifest.xml
I have found the android:usesCleartextTraffic
setting in the AndroidManifest.xml
to be set to "true"
. The app should not be able to send cleartext traffic to network endpoints.
The only relevant unencrypted resource I found in the source code is http://goolag.store:1337/api/auth. It is set as a constant URL_DISPENSER
here and is referenced here and here. It seems to be responsible for establishing the anonymous Google Play Store session.
I have not conducted further research on this, but transmitting authentication data over an unencrypted channel is not a very good idea, even if the authentication data is only used for a shared anonymous account.
@whyorean Could you please elaborate on this?
Edited by Anth0rx