diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 86481da815..e87a5b35cf 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -18,6 +18,7 @@ lint:
            export CHANGED="$CHANGED $appid";
            grep -q "^Repo *Type\W *git" $f && git -C build clone `sed -n "s,^Repo *:,,p" $f` $appid;
         done;
+        ./tools/audit-gradle.py $CHANGED;
       fi
     - export EXITVALUE=0
     - fdroid lint -f $CHANGED || {
diff --git a/tools/audit-gradle.py b/tools/audit-gradle.py
new file mode 100755
index 0000000000..a001d3c64f
--- /dev/null
+++ b/tools/audit-gradle.py
@@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+
+
+import os
+import re
+import sys
+
+# find all repositories that use plain HTTP urls (e.g. not HTTPS)
+url_pattern = re.compile('repositories\s*{[^}]*http://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+[^}]*}', re.DOTALL)
+
+exit_value = 0
+for appid in sys.argv:
+    gitdir = os.path.join('build', appid)
+    if not os.path.isdir(gitdir):
+        continue
+    for root, dirs, files in os.walk(gitdir):
+        for f in files:
+            if f.endswith('.gradle'):
+                path = os.path.join(root, f)
+                with open(path) as fp:
+                    data = fp.read()
+                for url in url_pattern.findall(data):
+                    print('Found plain HTTP URL for gradle repository:\n%s\n%s'
+                          % (path, url))
+                    exit_value += 1
+
+if exit_value:
+    print('gradle build uses plain HTTP URLs for repositories!  This is insecure!')
+    print('https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/')
+sys.exit(exit_value)