The app sent unencrypted HTTP requests during the run. Anyone on the network path can read or modify this traffic.
How it's exploited
The scanner watched the app send real HTTP requests during the run. On any shared network those exact requests are readable and modifiable by an on-path attacker; this is observed behavior, not a code-path guess.
Why it matters
Whatever rode in those flows (tokens, identifiers, content) is exposed in transit today.
How to fix it
Open the captured flows in the finding evidence and fix each endpoint to HTTPS.
Then block cleartext platform-wide (usesCleartextTraffic=false / ATS) so regressions fail loudly in QA.