Similar to the strings and constants embedded in a mobile application, the network communications that an application performs are not safe from eavesdroppers. For this reason, communication between apps and external services (e.g., an API server) must happen over a secure channel.
The adverse impacts resulting from the use of HTTP instead of HTTPS for sensitive communication range from sensitive information leakage to conversations being hijacked by potential attackers sitting between the victim and the server.
Application developers should collaborate with their back-end colleagues to ensure secure communication is adequately implemented in their apps. Additionally, the latter team should also make sure that no endpoint is served using HTTP as a form of additional safeguard.