I must confess that at this point I have neither investigated the client/server transaction with a packet sniffer nor have I taken a look at the source code for the app. The first thing I thought to look for was what was happening on the server side.
I looked to the FAQ to see what was going on with the JSON interface that apps like that viewer use. So now I tried running that URL through cURL:
Code: Select all
$ curl -v http://xkcd.com/info.0.json
* Trying 220.127.116.11...
* Connected to xkcd.com (18.104.22.168) port 80 (#0)
> GET /info.0.json HTTP/1.1
> Host: xkcd.com
> User-Agent: curl/7.45.0
> Accept: */*
* HTTP 1.0, assume close after body
< HTTP/1.0 301 Moved Permanently
< Server: Varnish
< Retry-After: 0
< Location: https://xkcd.com/info.0.json
< Content-Length: 0
< Accept-Ranges: bytes
< Date: Mon, 30 Jan 2017 18:31:49 GMT
So the Location header indicates a redirect to the https version with that host and path. Now with cURL pointing to that new URL, I find a JSON blob with this value for the img key: "http://imgs.xkcd.com/comics/bird_plane_superman.png". Hmm--it has "http" and not either "https" or an omitted scheme altogether. Do I find evidence of a recent adoption of a policy to redirect http to https? This means that every request from a client would result in four requests: 1. original request for JSON, 2. redirected request for JSON, 3. http request for image, 4. redirected request for image.
My guess is that the Android app does not expect the redirect. Is that the case or did the specification of the JSON change?
Besides that, why would it be that the main website, which requires no login, would require a redirect to an encrypted transport whereas the forums, which do require logins to post, don't even support https?