I had the same problem and I solved it by turning off the CORS filter (by not using the CORS filter) on Tomcat.
Here is the detail.
(1) If you installed an app using “$ ionic run android” command, turn off the CORS filter on Tomcat.
Android Webview can access any site and it does not have a CORS issue like a regular Chrome browser.
For the same reason, you should not use the CORS filter on your production Tomcat server for the android mobile app accessing your site.
(2) If you installed an app using “$ionic run --livereload android” command during development, turn on the CORS filter on Tomcat.
When using ‘–livereload’ option, the app’s ‘Origin’ HTTP header will be sent with something like “http://localhost:9100”. When Tomcat sees this Origin header with “http://”, it will consider it as CORS access from a browser. So, the CORS filter needs to be turned on on Tomcat. In this case, if the CORS filter is not set up on Tomcat, the access will not be allowed.