The app allows unencrypted HTTP. Traffic can be read or modified by anyone on the network path.
How it's exploited
On shared Wi-Fi (a cafe, hotel, or airport), an attacker runs a passive sniffer or an ARP-spoofing proxy. Every HTTP request the app makes, including session tokens and form data, is readable and modifiable in flight.
Why it matters
Account takeover via stolen session tokens, silent data tampering, and injected responses that can drive phishing inside your own app.
How to fix it
Set android:usesCleartextTraffic="false" on <application> (it is ignored when a network-security-config is present, so also do step 2).
Ship a network-security-config with cleartextTrafficPermitted="false" as the base-config.
Move every remaining http:// endpoint to HTTPS; use per-domain debug-overrides for local development instead of global cleartext.