oeffi/oeffi/res/xml/network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>

    <!-- Most public transport authorities have their servers configured securely these days. -->
    <base-config cleartextTrafficPermitted="false">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>

    <!-- This is the hall of shame: public transport authorities which still do not support HTTPS. -->
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="false">android.vrsinfo.de</domain><!-- VRS -->
        <domain includeSubdomains="false">wojhati.rta.ae</domain><!-- RTA Dubai -->
        <domain includeSubdomains="false">appefa10.verbundlinie.at</domain><!-- STV -->
        <domain includeSubdomains="false">railteam.hafas.eu</domain><!-- Railteam -->
        <domain includeSubdomains="false">mobil.vbl.ch</domain><!-- VBL -->
    </domain-config>

</network-security-config>