Since Google declined to supply Gradle security advice to developers,here is my periodic reminder:

Only use the Gradle Wrapper scripts and JAR from a project if you completely trust where they came from (e.g., were generated by Android Studio when you created the project).In particular, do not use the Gradle Wrapper from an arbitrary project that yougrab off of GitHub or elsewhere on the Internet. Delete it or replace it with alocally-generated wrapper (gradle wrapper command).

Always check the distributionUrl in the gradle-wrapper.properties file before importing a project into Android Studio or using the Gradle wrapper scripts, to see if the URL looks reasonable (e.g., points to gradle.org).Even better, if it has a distributionSha256Sum value, confirm that it is one that matchesa known-good Gradle version.

Otherwise ��� especially if you decline to use Safe Mode in Android Studio ���you may wind up the victim of an attack, as I wrote about 2.5 years ago.

It may also be worthwhile toexamine the Gradle plugins and compile-time annotation processorsto see if there is anything unusual, though ���unusual��� is difficult to quantify.