Closed IzzySoft closed 1 month ago
jocmp
commented
1 month ago hey @IzzySoft, thanks for digging into the app! I only added cleartext support just in case a user subscribes to an RSS feed that's still using http. That means the cleartext traffic only supports feeds that do not use auth headers. The code for that is in the feed finder module.
For your second question, I'll patch that DEPENDENCY_INFO_BLOCK issue asap and include it in the next GitHub release.
IzzySoft
commented
1 month ago added cleartext support just in case a user subscribes to an RSS feed that's still using http
Oh, those still exist? Oof. OK, fair enough. Might be an idea to throw a warning then, because MITM and all that. I thought usesCleartextTraffic was for some self-hosted server, but as far as I could see Feedbin does not really offer such. OK, will add it to the "green list" then with that explanation.
And thanks for taking care for that blob!
Btw, If you wonder why I ask all that, get ready to pick a badge e.g. for your Readme and link it to this page :wink:
Scanning your app I've just got a.o. this part in my reports:
Could you please clarify what cleartext traffic is generated? As for
DEPENDENCY_INFO_BLOCK, that can easily be avoided with a small addition to yourbuild.gradle:For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.
Thanks in advance!