This has been in corona for a long time. I would open up a defect to fix it. I would change it but I don’t know what would be sufficient.
I might be wrong but it looks like the Android template is using something very permissive:
Usually, on my native apps, I have this:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
...
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">127.0.0.1</domain>
</domain-config>
...
</network-security-config>