Connect version 4.20 broke local http access?

An exception was added for 127.0.0.1 but not for the "localhost" domain. My fault for poorly communicating the solution--as I'm sure we're all aware, these are commonly used interchangeably, but they're not quite the same. I've edited the solution above for accuracy.

For folks like Horsetooth, is "localhost" explicitly required? I understand that not everyone here controls/develops the mobile apps being leveraged by their Connect IQ apps, so there may not be an option to use anything other than "localhost" in those cases, correct?

An exception was added for 127.0.0.1 but not for the "localhost" domain. My fault for poorly communicating the solution--as I'm sure we're all aware, these are commonly used interchangeably, but they're not quite the same. I've edited the solution above for accuracy.

For folks like Horsetooth, is "localhost" explicitly required? I understand that not everyone here controls/develops the mobile apps being leveraged by their Connect IQ apps, so there may not be an option to use anything other than "localhost" in those cases, correct?

Totally agree. That's exactly what's happening here.

I don't have any skin in the non localhost issue, but if I understand you  find right,I it very concerning that Garmin thinks it's ok to allow http traffic to their own domains but doesn't think anyone else should be using it.

Brandon,

the fix which has been made is a change the se, becurity_config_xml to 

however as stated before in this thread: If you change to 

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
</network-security-config>

all uses cases in this thread are fixed, because HTTP is allowed again. This is supported by Google (https://developer.android.com/training/articles/security-config),  see section <base config>

can you please reconsider your solution?

Good to hear—if anyone else must use "localhost", please let us know.

I acknowledge that there's room to improve between GCM and the Connect IQ team, but they've generally worked well with us, particularly in more recent times. I think this particular issue was glaringly bad for a number of reasons that have already been discussed. Despite some of the recent turmoil, I'm optimistic that we can do things better.

There are internal beta testing teams for GCM, but it hasn't been well-coordinated with Connect IQ to regularly verify CIQ-related fixes. I'm going to see what I can do to work on that.

For my apps I explicitly used 127.0.0.1, although users can type localhost in, they don't need to, so current gcm is acceptable. What is unacceptable to me is the lack of what seems like it should be basic networking and/or Android knowledge on behalf of the folks doing gcm. And in addition they should be beta testing their releases to developers at a minimum. Imo there needs to be a whole new layer of accountability of gcm to connect iq.