danger_on is true for assets' provider
Providers present in the assets file are able to bypass all SSL errors (because danger_on is true when they are added).
If anybody could tamper our apk to insert a new providers' file (I know it's possible, due to Android package signing bug revealed some days ago), leap_android could connect to any url bypassing SSL errors.
I don't know why isec did not see this :s
(from redmine: created on 2013-08-14, closed on 2013-10-04)