Current download of piwik 13.x comes along with global.ini.php including
api_service_url = http://api.piwik.org
This should be changed to https asap, because MITM could compromise the api output otherwise (keep in mind that the output is presented to user including links, update information etc.)
This issue (#1867) has already been discussed 5 years ago. Now that https-api is available for a long time you should default to it. We have 2015 now and attackers use every possibility they can find.
Via MITM, tt potentionally compromises all the nice automatic update, can be used for phishing attacks, ...
Users should be recommended to use https if they have overridden the global.ini.php default.