Here are details of the CERT test and notification, from 9/3/2014: Finding Android SSL Vulnerabilities with CERT Tapioca. This spreadsheet from CERT, shows "Android App SSL Failures": Android apps that fail to validate SSL
It's been updated today!
I have Burp set up as a proxy for my Genymotion Android emulator, without the PortSwigger certificate installed, so secure sites give a warning in the default Web browser:
However, when I log in with test credentials:
It doesn't notice the bad SSL certificate and lets the MITM attack work!
The password is hashed with MD5 and SHA-1, apparently with a salt, because I wasn't able to crack it immediately.
However, even with the password hashed, failure to validate the SSL certificate is a serious error. And ignoring CERT security notifications is not a small matter either!