The app references a known trust-all TrustManager or an accept-all HostnameVerifier, which disables TLS authentication and enables MITM.
How it's exploited
A custom TrustManager that returns without checking, or a HostnameVerifier that always says yes, accepts any certificate. Any MITM proxy terminates your "secure" connection with a self-signed cert and reads everything.
Why it matters
TLS becomes decorative: credentials and data are fully exposed to any active network attacker, and app stores reject builds for this.
How to fix it
Delete the trust-all TrustManager/HostnameVerifier (they usually date from a debugging session).
Use the platform defaults; for internal CAs, ship the CA in a network-security-config instead of disabling validation.
Add a CI grep/lint for X509TrustManager overrides so it cannot return.