Dear Sir, This is not a Vulnerability when you need to install payload that essentially reverse engineers source code to make it work in a manner it is not supposed to. It is actually sadly, a very poor attempt for finding a bug. Here are the errors you have made. The product is of the market, and unsupported. I offered it FREE as a goodwill service/app and you have destroyed that. 1. It requires another piece of software to reverse engineer and access the functionality. I could do this to any Android application. Any Internet address can be changed. Tell me your Android Apps please. 2. I appreciate genuine Intel but it is incorrect. As you are factually wrong about the sendemail string. This is misleading and deceptive. Did you actually send an email? The server ignores the To field. 3. If you knew anything about programming you would know that any URL https or not can be intercepted in a local environment by a MITM attack. The IP address URL is at worst going to report to me a wrong value as it does not display so it cannot execute it, so it is not susceptible to XSS without hacking. 4. I have has already tracked you previously hacking into my server via a staged event. This is "unauthorised access" and is not ethical hacking or legal. However if you had good intent I thank you, but it is superfluous to require an App to have even worse malware next to it to exploit minor functionality and claim it is even vulnerable. 5. Without additional execution code and hacking that is not considered a vulnerability you cannot run an exploit as described. 6. You are wrong as you didn't read the instructions that state not to use an internal IP address. It works fine on external IPs. This is also misleading and deceptive conduct. You are also wrong as the _0_ would be a string of ports with a string of information at their consent they optionally can provide if they want a FREE phone call to verify I am talking about the right phone and the right person. I have evidence of people using it as normal. Tell me some of your Apps if you know how to programme and if you consider this a vulnerability, I'll have a field day. 7. I don't see this as valid. If it was I'd thank you. It is a poor attempt, and unworthy. I don't endorse criminal activity. Perhaps you should learn about Australian law. Any hacker who has dealt with me will face the law shortly as many you know are already under investigation. 8. I've been programing for 27 years since a child. You don't build an app thinking criminals will be dismantling it, however in catching cybercriminals if it is your ethics to breach the Google Play Store Terms and Conditions and attempt to claim a non vulnerability, then that is for you. 9. I am very ethical in what I do and have never been more disgusted than witnessing the damage to the industry your type have done. 10. I have had people solve problems when they used the application properly and I don't have ads and don't even charge to help them. 11. I have all the information I need. There is no vulnerability because I'm withdrawing the App as I don't give in to criminal extortion attempts. I'm afraid the excuse of research is not a legal excuse for hacking. 12. This conversation is commercial in confidence and without prejudice. If you release it to anyone, I'll sue you. 13. Now you know you are factually wrong about email, factually wrong about it not reporting because you can't read the App usage instructions, factually wrong about it being a vulnerability as someone has to physically install malicious software on the device to make it do anything (as not everyone uses WiFi) and if they are doing that they can do far worse than visit a website with that malicious software which defeats the purpose, and factually wrong about the laws in Australia, about "without authorisation". 15. I've trained ethical hacking, and this is by far not ethical. 16. I don't underestimate anyone. I advise you to do the same. Finally, if any statement you have made, since it is both misleading and deceptive, and "without authorisation", will land you a summons. 17. You just hurt the community, not helped it. They now have no free service - the App is gone. There is no vulnerability to report. There is no live advertised App. 18. You are under investigation. I know who you are, your websites. Let's see your Enterprise APPlications if you know how to programme. 19. You confronted me, I did nothing to you. I have history of you accessing my server also "without authorisation". Thanks for your input to the community. Any App on the AppStore can be modified to change any string or even replaced with any malicious App. That is called hacking. You should check your terms. I'll be watching for even a whisper of this misleading unethical conduct. You cannot report a "vulnerability" of a non-live app, but you can always report a crime and misleading and deceptive conduct and unconscionable conduct. You have brought even the ethical hacking community into disrepute. Simon