Wellness+ Android App Fails to Validate SSL Certificates

Background

The Wellness+ Android app has a serious security problem--it does not properly protect network traffic, exposing confidential data.

This practice may be illegal in the USA. Two American companies were sanctioned by the FTC in 2014 for making this same error:

I used an Android emulator connected to the Burp proxy.

Here's the app I tested:

Sending personal data which should be encrypted:

Harvesting the data from Burp via MITM attack:

I sent this email on 9-18-2025:

Posted 9-18-2025 by Sam Bowne