OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://
Android gateway endpoint handling allowed non-loopback cleartext websocket endpoints from setup/discovery flows, and the gateway session could then connect with ws:// while using stored gateway credentials.
apps/android/app/src/main/java/ai/openclaw/app/ui/GatewayConfigResolver.kt
This Android gateway config parser handled manual URLs and scanned setup codes. The fix adds rejection of non-loopback cleartext endpoints, indicating the vulnerable acceptance point lived here.
apps/android/app/src/main/java/ai/openclaw/app/node/ConnectionManager.kt
This file decides whether a gateway endpoint must use TLS. The fix changes it to require TLS for non-loopback endpoints, so the earlier logic likely allowed remote cleartext connections.
apps/android/app/src/main/java/ai/openclaw/app/gateway/GatewaySession.kt
This session code builds the websocket URL as ws:// or wss:// from the resolved TLS state. If TLS is not required upstream, this is where the client actually opens a cleartext websocket and uses gateway auth.