NEW: Security Problems in Second App
Student Blue Connect leaks confidential data from the BCBSNC system, and also from Facebook, Twitter, and Google.
In my opinion, this is a violation of two federal laws: HIPAA and COPPA.
So no HTTPS connections should be possible through the proxy.
Here's the app:
Sending test credentials:
Harvesting them from Burp via MITM attack:
Here's another page, which makes it clear that this app is intended to collect data about children, making this insecure transmission also a COPPA violation.
Without a real account, I cannot proceed further, but I expect the app to collect more information about the child being registered, and to send it using the same insecure method.
Here's their Privacy Policy; I doubt that transmitting data over broken SSL constitutes "safeguards that meet or exceed applicable law".
I also filled out their online "Fraud and abuse" form:
The developer replied politely and patched the app immediately.
Here's the update I got on 5-22-15:
Now it refuses to send any data through my proxy, correctly identifying it as an invalid certificate: