In my opinion, this is a violation of federal HIPAA law.
In addition, this app exposes the user's login information for Twitter, Facebook, and Google by using its own insecure browser to send them with broken HTTPS.
So no HTTPS connections should be possible through the proxy.
Here's the app:
Sending test credentials:
Harvesting them from Burp via MITM attack:
Next, let's start at the home screen and click Twitter:
On the next page, click"Log in".
Now I send fake credentials to Twitter:
And the app transmits them insecurely to the proxy, defeating SSL:
Next, from the home screen, click Enrollment:
The "Follow" section at the bottom has icons to reach Facebook and YouTube.
If I log in to Facebook:
Those credentials are exposed.
If I click the YouTube button, I see the BCBSNC channel. I clicked Subscribe.
This takes me to a normal-looking Google login page. Unfortunately, this is not a properly-written browser, but some inferior custom part of the app that breaks SSL.
My Google credentials are also exposed.
The developer replied politely and patched the app immediately.
Here's the update I got on 5-22-15:
Now it refuses to send any data through my proxy, correctly identifying it as an invalid certificate: