Looked at most "yellow" (warnings) items - irrelevant at best, misleading, or outright wrong.
Looks like this test grew out of their existing "web site security / encryption" tests, which I know and love and which are good. But trying to extend that to mobile apps didn't quite work as far as I can see.
Like what does it matter if we use "potentially predictable random number generator" in code that animates "bubbles floating up" (on the welcome screen)
On "clear text database" - that's what Android has, used by almost all apps.
To access it, you'd need to break Android's app isolation (which stores each app's data in a directory that's only accessible by that app). Easy on a rooted phone, but than rooting a phone is a security risk for precisely that reason, and it applies to all apps.
Or take this "exposure of private data in system log":
11-11 16:13:12.966 I/ActivityManager( 1626): START u0 {act=android.intent.action.VIEW dat=https://www.mobisystems.com/... cmp=org.chromium.webview_shell/.WebViewBrowserActivity (has extras)} from uid 10065 on display 0
This log output line is printed by Android, not by the app. So every app trying to launch a web browser would be logged like this - and note that the URL is shown only partially.
There are two kind of borderline items having to do with Random / SecureRandom and although they're borderline - I'll fix them.