I've also reported this to Moodle project on MDL-69203 since the change will need to happen in Moodle.
Tested on https://school.moodledemo.net and the latest 3.9 moodle app.
With the latest update to the Moodle app it now respects CORS headers, these are sent on web service requests but not on the requests made under admin/tool/mobile/ directory and /lib/ajax/service.php file.
This causes SSO login to not be made available as a choice as it can't make the initial requests.
Here's an example:
Steps to reproduce:
- Download official moodle app
- Connect to device with adb logcat
- Configure site to be school.moodledemo.net
- Close and reopen app
- Look in logcat to see failing requests