Title
CRITICAL: Widespread Man-in-the-Middle (MITM) Vulnerability due to usesCleartextTraffic="true"
Description
The application explicitly enables cleartext (unencrypted HTTP) traffic globally by setting android:usesCleartextTraffic="true" in the <application> tag of app/src/main/AndroidManifest.xml.
Starting from Android 9 (API level 28), cleartext traffic is disabled by default to protect users from eavesdropping and tampering. By globally overriding this security baseline, Arvio is vulnerable to Man-in-the-Middle (MITM) attacks across the entire application.
This means that any HTTP connection made by the app—whether it’s fetching media streams, downloading plugin metadata, or querying API endpoints—can be intercepted, viewed, or modified by an attacker on the same network (e.g., a malicious public Wi-Fi hotspot or compromised router).
This becomes exceptionally critical when combined with other features like the Cloudstream plugin loader (which fetches .cs3 executable files). If plugins or updates are fetched over HTTP, an attacker can modify the payload in transit to execute arbitrary code on the user's device.
Proof of Concept
- Inspect the
app/src/main/AndroidManifest.xml file.
- Observe the
<application> tag configuration:
<application
android:name=".ArflixApplication"
...
android:usesCleartextTraffic="true">
- Connect an Android TV running Arvio to a proxied network (like Charles Proxy or Burp Suite).
- Observe that any HTTP network requests made by the app or its plugins are transmitted in plain text and can be seamlessly modified in real-time without triggering any SSL certificate errors.
Recommended Fix
- Remove
android:usesCleartextTraffic="true" from AndroidManifest.xml to restore the platform's default secure behavior.
- If the application strictly requires cleartext traffic to communicate with local, self-hosted media servers (e.g.,
http://192.168.1.X for Jellyfin/Plex), do not enable it globally. Instead, use a specific NetworkSecurityConfig to selectively allow cleartext traffic only for local/private IP address ranges, while forcing HTTPS for all external API endpoints and plugin repositories.
Example network_security_config.xml:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">localhost</domain>
<!-- Allow local IP ranges if needed for local servers -->
<domain includeSubdomains="true">192.168.0.0</domain>
<domain includeSubdomains="true">10.0.0.0</domain>
</domain-config>
<base-config cleartextTrafficPermitted="false" />
</network-security-config>/assign
Title
CRITICAL: Widespread Man-in-the-Middle (MITM) Vulnerability due to
usesCleartextTraffic="true"Description
The application explicitly enables cleartext (unencrypted HTTP) traffic globally by setting
android:usesCleartextTraffic="true"in the<application>tag ofapp/src/main/AndroidManifest.xml.Starting from Android 9 (API level 28), cleartext traffic is disabled by default to protect users from eavesdropping and tampering. By globally overriding this security baseline, Arvio is vulnerable to Man-in-the-Middle (MITM) attacks across the entire application.
This means that any HTTP connection made by the app—whether it’s fetching media streams, downloading plugin metadata, or querying API endpoints—can be intercepted, viewed, or modified by an attacker on the same network (e.g., a malicious public Wi-Fi hotspot or compromised router).
This becomes exceptionally critical when combined with other features like the Cloudstream plugin loader (which fetches
.cs3executable files). If plugins or updates are fetched over HTTP, an attacker can modify the payload in transit to execute arbitrary code on the user's device.Proof of Concept
app/src/main/AndroidManifest.xmlfile.<application>tag configuration:Recommended Fix
android:usesCleartextTraffic="true"fromAndroidManifest.xmlto restore the platform's default secure behavior.http://192.168.1.Xfor Jellyfin/Plex), do not enable it globally. Instead, use a specificNetworkSecurityConfigto selectively allow cleartext traffic only for local/private IP address ranges, while forcing HTTPS for all external API endpoints and plugin repositories.Example
network_security_config.xml:/assign