I like the idea of testing for more security problems. This seems to generate false positives. But it also looks like it misses potentially serious security problems.
I haven’t looked at the article, only the list of 26 rules. But it looks like they don’t check if apps accepts insecure cipher suites or obsolete protocols (like SSLv3 and the soon obsolete TLSv1.0 and TLSv1.1), and if they support modern protocols and cipher suites. This is a particularly big problem for apps from f-droid (and also on devices without google’s services), because the Security Provider included by the OS doesn’t get updated.
The only solution right now is to bundle the conscrypt security provider directly with the app, which is thankfully quite easy (see my example/tutorial), but it means every app needs to bundle it and also grows in size (for example an upcoming F-Droid version of Antennapod will be a few MB:s larger than the Play version from bundling conscrypt). Hopefully it’ll be possible to package conscrypt through f-droid and provide it to all apps in the future (ByteHamster wrote a good summary on this idea here).