Problem Statement

Currently the Android app connects to https://app.super-productivity.com to load necessary source code to function. For an ToDo / time tracking app that can and is intended to function locally - except from optional task syncing - that's an unnecessary step just transferring data that could be leaked and adding attack surface that could be abused.

❔ Possible Solution

The best option would probably be to serve the web app locally and therefore embed all needed files inside the Android app itself. That would prevent the former existent connection to be manipulated, spied on or abused otherwise by an attacker.

⤴️ Describe alternatives you've considered

Other alternatives would be:

Give users a option to use a self-hosted instance of the super productivity web app. This wouldn't eliminate the problem completely but users wouldn't have to trust a foreign, uncontrollable and unverifiable web app anymore, because users could set up their own instance or use one they trust. Therefore, the problem would be minimized a bit.

The other option would be to inform the users at the first start of the Android app that a connection to your servers are necessary for super productivity to function properly. This wouldn't avoid the problem, but at least users would know and can actively decide if that's okay with them or not.

➕ Additional context

A pleasant side effect would be that bugs like #3 would probably be avoided :-)