You allow HTTP outgoing in your "secure" app? Of location information, that can lead to someone's safety or life to be put in danger if they really buy all your marketing? Why allow outside requests at all in the first place from your app? What if DNS is compromised and someone is tapping into google.com from a local tower/wifi DNS override and sending all Google Maps traffic to their server instead? Shouldn't you be using a proxied call to these outside services through your internal domain as API calls, with a way to verify that someone didn't hijack that connection and imitating it as well? This is all very much security 101 stuff and would have expected much better from an app labeling it as a simple, secure crypto solution.
