diff --git a/Cargo.lock b/Cargo.lock
index 59ac4cc..6727229 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2186,7 +2186,7 @@ dependencies = [
 
 [[package]]
 name = "mhrv-rs"
-version = "1.2.3"
+version = "1.2.4"
 dependencies = [
  "base64 0.22.1",
  "bytes",
diff --git a/Cargo.toml b/Cargo.toml
index f21dca0..1b5f03d 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mhrv-rs"
-version = "1.2.3"
+version = "1.2.4"
 edition = "2021"
 description = "Rust port of MasterHttpRelayVPN -- DPI bypass via Google Apps Script relay with domain fronting"
 license = "MIT"
diff --git a/README.md b/README.md
index 689bcb6..83425a7 100644
--- a/README.md
+++ b/README.md
@@ -49,7 +49,9 @@ For a handful of Google-owned domains (`google.com`, `youtube.com`, `fonts.googl
 
 Linux (x86_64, aarch64), macOS (x86_64, aarch64), Windows (x86_64), **Android 7.0+** (universal APK covering arm64, armv7, x86_64, x86). Prebuilt binaries on the [releases page](https://github.com/therealaleph/MasterHttpRelayVPN-RUST/releases).
 
-**Android users** — grab `mhrv-rs-android-universal-v*.apk` and follow the full walk-through in [docs/android.md](docs/android.md) (English) or [docs/android.fa.md](docs/android.fa.md) (فارسی). The Android build runs the exact same `mhrv-rs` crate as the desktop (via JNI) and adds a TUN bridge via `tun2proxy`, so every app on the device routes through the proxy without per-app configuration.
+**Android users** — grab `mhrv-rs-android-universal-v*.apk` and follow the full walk-through in [docs/android.md](docs/android.md) (English) or [docs/android.fa.md](docs/android.fa.md) (فارسی). The Android build runs the exact same `mhrv-rs` crate as the desktop (via JNI) and adds a TUN bridge via `tun2proxy`, so every app on the device routes its IP traffic through the proxy without per-app configuration.
+
+> **Important Android caveat (issues #74 / #81):** while TUN captures all IP traffic, _HTTPS_ traffic from third-party apps still only works for apps that trust user-installed CAs. From Android 7 onward (which covers all supported devices — `minSdk = 24`), apps must opt in via `networkSecurityConfig` to trust the MITM CA we install. **Chrome and Firefox do**; **Telegram, WhatsApp, Instagram, YouTube, banking apps, games** do not. For those apps, either use `PROXY_ONLY` mode and point their in-app proxy at `127.0.0.1:1081` (SOCKS5), use `google_only` mode (no CA required, Google services only), or set `upstream_socks5` to an external VPS. This is an Android security design, not a bug in this client — same limit applies to every other MITM proxy on the platform.
 
 ## What's in a release
 
diff --git a/android/app/build.gradle.kts b/android/app/build.gradle.kts
index be27c4c..f803199 100644
--- a/android/app/build.gradle.kts
+++ b/android/app/build.gradle.kts
@@ -14,8 +14,8 @@ android {
         applicationId = "com.therealaleph.mhrv"
         minSdk = 24 // Android 7.0 — covers 99%+ of live devices.
         targetSdk = 34
-        versionCode = 123
-        versionName = "1.2.3"
+        versionCode = 124
+        versionName = "1.2.4"
 
         // Ship all four mainstream Android ABIs:
         //   - arm64-v8a      — 95%+ of real-world Android phones since 2019
diff --git a/docs/changelog/v1.2.4.md b/docs/changelog/v1.2.4.md
new file mode 100644
index 0000000..c2a1249
--- /dev/null
+++ b/docs/changelog/v1.2.4.md
@@ -0,0 +1,8 @@
+<!-- see docs/changelog/v1.1.0.md for the file format: Persian, then `---`, then English. -->
+• سخت‌کردن range-parallel: اعتبارسنجی هدر `Content-Range` قبل از دوختن پاسخ‌های ۲۰۶. پاسخ‌های نامعتبر دیگه به صورت ۲۰۰ OK جعلی ترکیب نمی‌شن — probe نامعتبر به GET تکی برمی‌گرده، چانک‌های نامعتبر به پاسخ probe برمی‌گرده (PR #78)
+• رد configهایی که HTTP و SOCKS5 رو روی یک پورت تنظیم کرده‌اند قبل از bind failure زمان اجرا. هم در load config و هم در فرم UI چک می‌شه (PR #79)
+• یادداشت README درباره محدودیت user-CA اندروید 7+ — اپ‌هایی مثل Telegram / WhatsApp / Instagram به CA ما اعتماد نمی‌کنن، برای اون‌ها از PROXY_ONLY یا upstream_socks5 استفاده کنید (issues #74 #81)
+---
+• Range-parallel hardening: validate `Content-Range` before stitching 206 responses. Invalid responses no longer combine into a fake 200 OK — invalid probe falls back to a normal single GET, invalid later chunks fall back to the probe response (PR #78)
+• Reject configs that set HTTP and SOCKS5 to the same port before the runtime bind failure. Enforced both at config-load time and in the UI form (PR #79)
+• README note on the Android 7+ user-CA trust limit — apps like Telegram / WhatsApp / Instagram don't trust user-installed CAs, use PROXY_ONLY or upstream_socks5 for those (issues #74 #81)