Again, Be Wary of Random Gradle Projects

Since Google declined to supply Gradle security advice to developers, here is my periodic reminder:

• Only use the Gradle Wrapper scripts and JAR from a project if you completely trust where they came from (e.g., were generated by Android Studio when you created the project). In particular, do not use the Gradle Wrapper from an arbitrary project that you grab off of GitHub or elsewhere on the Internet. Delete it or replace it with a locally-generated wrapper (gradle wrapper command).

• Always check the distributionUrl in the gradle-wrapper.properties file before importing a project into Android Studio or using the Gradle wrapper scripts, to see if the URL looks reasonable (e.g., points to gradle.org). Even better, if it has a distributionSha256Sum value, confirm that it is one that matches a known-good Gradle version.

Otherwise — especially if you decline to use Safe Mode in Android Studio — you may wind up the victim of an attack, as I wrote about 2.5 years ago.

It may also be worthwhile to examine the Gradle plugins and compile-time annotation processors to see if there is anything unusual, though “unusual” is difficult to quantify.