I don’t think localhost would work in this case as app URL is important to authenticate a user against. So, let’s suppose you have an xyz application with xyz.com domain name. When you will authenticate a user against your xyz.com app, a tag gets inserted into the profile.json that user owns. It looks like this:
and because you own that URL and control the hosting provider, that I guess is the only way to prove the controlling authority of your app.
Another reason to have it hosted is to see the process of auth. When you click on sign in button, it opens browser.blockstack.org in your browser. Once, you are authenticated, browser.blockstack.org needs to send you back to the app but that particular script does not know your app and you can’t edit it (maybe if you host your own copy of that, I haven’t tried doing that), so the browser.blockstack.org sends you back to your hosted server to redirect and open your app on the phone and that server address should be resolvable over the internet.
If you just want to test the auth, you can use the test URLs given in this iOS example as I haven’t seen the android code yet. Caution would be to know that this is just a test server.
While you are using it, make sure the URL scheme of your app has the entry of myblockstackapp as that is what this server recognizes.