The Gradle distribution is downloaded over unencrypted http, leaving the installation of Gradle itself open to man-in-the-middle attacks.
Moreover, even if gradleVersion is set to a version for which the Gradle wrapper was already installed externally (and through https), this plugin seems to download it again – via http!
It turns out that these issues can be solved by upgrading the gradle-tooling-api dependency from 1.7 (which dates from 2012!) to at least 1.12. But since the default Gradle version installed is already 2.4 (a bit behind the current one, 2.11, but whatever), perhaps the Tooling API dependency could be updated to at least that same version?
The Gradle distribution is downloaded over unencrypted http, leaving the installation of Gradle itself open to man-in-the-middle attacks.
Moreover, even if
gradleVersion
is set to a version for which the Gradle wrapper was already installed externally (and through https), this plugin seems to download it again – via http!It turns out that these issues can be solved by upgrading the
gradle-tooling-api
dependency from 1.7 (which dates from 2012!) to at least 1.12. But since the default Gradle version installed is already 2.4 (a bit behind the current one, 2.11, but whatever), perhaps the Tooling API dependency could be updated to at least that same version?