Security Vulnerability in Infinite Design Android app

# Title: Infinite Design - Cleartext Transmission of username and password
# Application: Infinite Design
# Version: 3.4.12
# Software Link: https://play.google.com/store/apps/details?id=com.brakefield.idfree
# Company: Infinite Studio Mobile
# Installs: 5,000,000+
# Impact: Anyone watching the network packet can obtain a username and password.
# Category: Mobile Apps
# Tested on : Android 9

---Description---
Infinite Design, the popular Art app downloaded more than 5 millions, sends username and password via TCP without any encryption during login. So, anyone watching the network packet can obtain a username and password. It is critical, especially in mobile phones, because mobile phones are usually used in an insecure environment such as public WiFi.

---Vendor feedback---
After reporting, the vendor have quickly fixed this problem and released a new version.

---PoC---
1. Try to login with Infinite Design, Android app.
    - Going to Settings
    - Enter credentials. Fake information is enough for reproducing.

2. Sniffing network packet with any capturing tool.
   - the captured HTTP POST message contains user email and password.

  Hypertext Transfer Protocol
    POST /users/index.php HTTP/1.1\r\n
    Content-Type: application/x-www-form-urlencoded\r\n
    charset: utf-8\r\n
    Content-Length: 63\r\n
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; ...)\r\n
    Host: www.seanbrakefield.com\r\n
    Connection: Keep-Alive\r\n
    Accept-Encoding: gzip\r\n
    \r\n
    [Full request URI: http://www.seanbrakefield.com/users/index.php]
    [HTTP request 1/1]
    [Response in frame: 662]
    File Data: 63 bytes
  HTML Form URL Encoded: application/x-www-form-urlencoded
    Form item: "tag" = "login"
    Form item: "email" = "jaeho.lee@rice.edu"
    Form item: "password" = "MyPasswordIsHere!"


---Reporter---
Jaeho Lee(Jaeho.Lee@rice.edu)
Rice Computer Security Lab
Rice University