The Gradle distribution is downloaded over unencrypted http, leaving the installation of Gradle itself open to man-in-the-middle attacks.
Moreover, even if gradleVersion is set to a version for which the Gradle wrapper was already installed externally (and through https), this plugin seems to download it again – via http!
It turns out that these issues can be solved by upgrading the gradle-tooling-api dependency from 1.7 (which dates from 2012!) to at least 1.12. But since the default Gradle version installed is already 2.4 (a bit behind the current one, 2.11, but whatever), perhaps the Tooling API dependency could be updated to at least that same version?
The Gradle distribution is downloaded over unencrypted http, leaving the installation of Gradle itself open to man-in-the-middle attacks.
Moreover, even if
gradleVersionis set to a version for which the Gradle wrapper was already installed externally (and through https), this plugin seems to download it again – via http!It turns out that these issues can be solved by upgrading the
gradle-tooling-apidependency from 1.7 (which dates from 2012!) to at least 1.12. But since the default Gradle version installed is already 2.4 (a bit behind the current one, 2.11, but whatever), perhaps the Tooling API dependency could be updated to at least that same version?