Is the default Android app actively maintained at the moment?

Yeah, that just seems like a horrible decision, one that actually introduces a security vulnerability. Now any app can just start listening on port 8384 and wait for the Syncthing app to start to get the API key. Then it can let Syncthing start, and use the API key to make any changes it wants, like add new devices, which would let it read and write data to all Syncthing folders.

For reference, syncthing-fork disables TLS on old Android versions, but keeps it enabled on supported versions. That is not ideal because it still leaves some devices vulnerable, but much better than disabling TLS completely.

Sorry @AudriusButkevicius I was giving you the benefit of the doubt, but now I really feel like the app would be in better hands with @Catfriend1 as maintainer.

Edit: The problem is not mainly about making a change to disable TLS. The problem is with arguing that code reviews are important for security, and then quietly merging and releasing something that obviously makes security worse, without any review at all.