cleartext traffic about mmrl HOT 4 CLOSED

That might a mistake while I was upgrading Gradle, didn't even knew that such thing exists.

The application has android:usesCleartextTraffic set to true, which allows it to access resources that do not use encryption, a situation that could be exploited by an attacker to perform MitM attacks and compromise the confidentiality and integrity of the application.
Source

I will offer an update so fast I can.

from mmrl.

That might a mistake while I was upgrading Gradle, didn't even knew that such thing exists.

Ah, OK. I thought the intention might have been to support "local repos" (for hosting one's preferred modules within the own home network, where https might be a bit overkill and getting a proper certificate even difficult), in which case it would totally make sense.

I will offer an update so fast I can.

No stress, the "alert" will only pop up again when a new release is being pulled. And it's just a warning. Sure, if it's not needed it shouldn't be there – but before removing it better be sure it is not needed. I don't think (m)any people will host any repositories locally, though, so removing could be fine.

Leaving the decision to you. I just need to know if I should add that flag to your app's allow-list (if it's needed) or not (otherwise, so we get another warning should it "sneak back in").

from mmrl.

That might a mistake while I was upgrading Gradle, didn't even knew that such thing exists.

Ah, OK. I thought the intention might have been to support "local repos" (for hosting one's preferred modules within the own home network, where https might be a bit overkill and getting a proper certificate even difficult), in which case it would totally make sense.

I will offer an update so fast I can.

No stress, the "alert" will only pop up again when a new release is being pulled. And it's just a warning. Sure, if it's not needed it shouldn't be there – but before removing it better be sure it is not needed. I don't think (m)any people will host any repositories locally, though, so removing could be fine.

Leaving the decision to you. I just need to know if I should add that flag to your app's allow-list (if it's needed) or not (otherwise, so we get another warning should it "sneak back in").

"Local repos" are just the saved repo data.

[
    {
        "name": "Magisk Modules Alt Repo",
        "website": "https://github.com/Magisk-Modules-Alt-Repo",
        "support": "https://github.com/Magisk-Modules-Alt-Repo/json/issues",
        "donate": null,
        "submitModule": null,
        "last_update": 1690995729000,
        "modules": "https://gr.dergoogler.com/magisk/mmar.json"
    }
]

from mmrl.

"Local repos" are just the saved repo data.

I thought of that in a different way, like:

[
    {
        "name": "My personal Repo",
        "website": "http://192.168.1.15/magisk",
        "support": null,
        "donate": null,
        "submitModule": null,
        "last_update": 1690995729000,
        "modules": "http://192.168.1.15/magisk.json"
    }
]

But as already mentioned, that would be a rare edge-case. And you decided already – so yes, better security that way, thanks!

from mmrl.