Investigate host name handling in TLS certificates

Critical: The TLS client disables hostname verification in HttpClient.java line 128. Certificate chain validation still runs, but the app will accept a certificate for the wrong host. That makes MITM feasible for every backend interaction: login, bearer-token exchange, sync, upload, and download.

@guruz 