[hidden]

[quadrupleslap]

[hidden]

[gnustomp]

If you think there is a security issue, please contact us directly. sbhstimetable@gmail.com works.

[fourkbomb]

Given that you haven't emailed, I'll just put my logic here:

1. Any security measures (even if not pushed to this git repository/kept hidden somehow) can be reverse-engineered in like 10 seconds using a bytecode decompiler and the APK downloaded from the Play Store.
2. If it happens automatically in a different app your phone is really shifty and sharing WebView cookies between apps. That's not our problem, and also something that you should tell your OEM to fix their really dumb software.
3. If you're typing in your ID number/password into random login screens in random apps, you're really dumb.
4. If you're giving superuser access to random apps so that they can steal your session ID from our app, you're really dumb.

[quadrupleslap]

[hidden]

[gnustomp]

The problem with that is, the embedded secret is inherently insecure. And I don't know of a form of client verification that would be secure and fulfill this purpose. We could have a mechanism to identify applications accessing -node, but to they still come from the same applications on the SBHS side of things.

The obvious solution is to have the user not be an idiot and install only from a trusted source (Google Play) or compile their own version (as they would with any other application). Additionally, distributing modified versions without source code is in violation of the terms of the AGPL 3.0 anyway.

[quadrupleslap]

[hidden]

[fourkbomb]

Eh we can report your app on the play store/report you to the trained hamsters

[gnustomp]

More like, working around a limitation of the authentication process.