Bind Android local servers to loopback

[lumen-for-kairunkr]

Summary

• Bind the Android Web UI server to 127.0.0.1 instead of 0.0.0.0
• Bind the Android AnkiConnect bridge to 127.0.0.1 instead of 0.0.0.0
• Add a short comment explaining why the Anki bridge should remain device-local by default

Rationale

The Android WebView/native app flows use loopback URLs, so the local servers do not need to listen on all network interfaces by default.

Listening on 0.0.0.0 makes these local helper services reachable from other devices on the same Wi-Fi/LAN. That is broader than the same-device WebView use case and can be surprising on public or shared networks, especially because the Android Web UI and AnkiConnect-style bridge expose app-local actions over HTTP. Binding to loopback by default keeps the existing same-device flow working while avoiding unnecessary network exposure.

If cross-device/LAN access is intended for some workflows, it would be safer as an explicit opt-in setting rather than the default bind behavior.

Test plan

• Verified the Android server URLs in code still target loopback addresses (127.0.0.1)
• Verified the branch is pushed to the fork and the draft PR targets KolbyML/Manatan:master
• Android runtime test on device or emulator
• Confirm any intended cross-device/LAN workflows are not required by default

[lumen-for-kairunkr]

Opened #304 to ask about the intended Android bind behavior and whether any cross-device/LAN workflow depends on the current 0.0.0.0 default. This PR can be adjusted based on that answer.

[lumen-for-kairunkr]

Hi, just following up on this PR.

The proposed change keeps the Android Web UI and AnkiConnect-style bridge bound to 127.0.0.1 by default, since the Android WebView/native flows appear to use loopback URLs.

If 0.0.0.0 is intentional for any Android cross-device/LAN workflow, I’m happy to adjust the PR. One possible compromise would be keeping loopback as the default for local/mobile use, while making LAN binding an explicit opt-in setting or documenting the intended use case.

No rush — just wanted to check whether this direction fits the project.