We take the security of Radio seriously. If you believe you have found a security vulnerability, please report it via GitHub Issues before disclosing it publicly.
Create a new security issue: GitHub Issues — Security. We will respond within 48 hours acknowledging your report and work with you to understand and address the issue.
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Affected versions (if known)
- Potential impact
- Any suggested fixes (optional)
We appreciate responsible disclosure and will credit researchers who report valid security issues (unless you prefer to remain anonymous).
| Version | Supported |
|---|---|
| > 14.5 | ✅ |
| < 14.5 | ❌ |
Only the latest stable release receives security updates. Users on older versions are encouraged to update.
Radio streams audio over the internet and connects to the radio-browser.info API for station search. The app allows cleartext HTTP traffic for radio stream compatibility (required for many legacy radio stations).
- Station data (names, images, stream URLs) is fetched from radio-browser.info's public API
- Station lists are stored locally on the device only
- No personal data is collected or transmitted to michatec servers
- Usage data is not collected
Radio requests only the permissions necessary for core functionality:
INTERNET— stream radio and fetch station metadataACCESS_NETWORK_STATE— detect connectivity changesFOREGROUND_SERVICE_MEDIA_PLAYBACK— maintain playback when app is backgroundedWAKE_LOCK— prevent device from sleeping during playback
Radio uses several third-party libraries. Security issues in dependencies are monitored via Renovate bot for updates. Key dependencies include:
- AndroidX Media3 / ExoPlayer (media playback)
- Google Cast SDK (Chromecast support)
- Volley (HTTP requests)
The app can import M3U/PLS playlist files from external sources. Files are processed locally and stream URLs are validated before playback. Station images are downloaded from radio-browser.info and cached locally.
Security patches are delivered via normal app update channels (GitHub Releases, automated update notifications). Critical vulnerabilities may trigger an out-of-band security update.
- General issues: GitHub Issues
- Project maintainer: @michatec