Cleartext HTTP traffic not permitted

[AEFeinstein]

Android 9 doesn't support HTTP, it requires HTTPS. But Gatherer doesn't use HTTPS. Gotta enable plain HTTP support in the manifest.

[IzzySoft]

Gatherer doesn't use HTTPS

Is this still true, or could that flag be removed? I've enabled additional security checks in my repo lately, so the latest update just raised:

repo/com.gelakinetic.mtgfam_92.apk declares flags: usesCleartextTraffic

If it's still needed, I'll add it to the app's allow-list here. Otherwise it would be preferable to remove the flag again, for more security. Thanks in advance for clarification, @AEFeinstein!

[AEFeinstein]

This isn't true anymore, and you can see that the app uses https when fetching data from gatherer.wizards.com. The comment in the source code is also outdated. Wizards of the Coast has had issues keeping their certificates up to date, but they're OK (for now...).

[AEFeinstein]

I removed usesCleartextTraffic from the manifest, but it's still in 3.9.9. There was one other regex that tried to use http://, but the regex was failing anyway (silly code rot), so 3.9.8 still only uses https/

[IzzySoft]

Thanks! Then the next release should no longer raise a warning from my scanner. Thanks for the swift action!

[AEFeinstein]

No problem! It's a little unfortunate that I released 3.9.9 earlier today, but that's the way it is.

[IzzySoft]

No problem with that – this is no CVE. If the next update has it fixed, that's fully sufficient. And had you not released "earlier today", I had not reported it "earlier today" as my scanner had not made me aware 🤷‍♂️

[AEFeinstein]

Oh, haha, I thought it was a coincidence. That makes more sense!

[IzzySoft]

Yupp. Details here in case you're curious: additional APK checks. Currently I have to open about 10 issues per day, as every 3rd app or so receiving its first update since activation of the new scans triggers something (which is I why do not enable all the checks at once, or I couldn't keep up). I guess "full enable" will follow around February (and then cause another wave). Somewhere in April I might have to trigger a manual scan for the latest release of every app in my repo, to also catch those that had not yet received updates. But that I'll not do before the other waves have rolled out.

Interesting things that popped up there. On the good side, my reports have always been well-received (on the bad side, more than half of them have not been answered at all) – and several apps had either their security or their documentation improved as result, or both. Several cases were self-explaining (like an app manager requesting QUERY_ALL_PACKAGES or REQUEST_INSTALL_PACKAGES, or a keyboard app defining an intent-filter for android.view.InputMethod; in such cases I simply updated the allow-lists without reaching out.

So yeah, in the end this will have improved security in my repo – and in many of its apps. Stay tuned to get hit again when all checks are active 🙈

[AEFeinstein]

Ten issues a day? I wonder if you could automate github issue creation (though that assumes the project is hosted on github). Can't wait to get hit again!

[IzzySoft]

Ten issues a day?

Only initially, will slow down when all apps have been covered once. And yesterday it were less than 5 (plus a few apps were the reason was obvious, so I just updated their allow-list).

if you could automate github issue creation

Could probably done via email. But until I have figured out how and configured the process, it will have slowed down. Nah, not worth it I guess. I prefer deciding myself and keep the "human factor" in 😉

Can't wait to get hit again!

🤣 It's really great that my reports are met with such warm responses, thanks!