These are the #2 and #3 most important security flaws, according to OWASP.
As discussed here, passwords should not be stored on the phone at all. Because users re-use passwords, they are very sensitive information and handling them carelessly is a disservice to your customers. Locally stored passwords could be stolen by malware on the phone, or by simply stealing the phone itself. Instead, a random cookie should be stored on the phone, which is useless at any other company.
When I log in:
The data can be stolen via a MITM attack, because the SSL certificate is not verified.
Here's the password appearing in the log:
Here's the data stored on the phone, in the /data/data/be.delhaize/shared_prefs/DelhaizePreferences.xml file:
Here's how the password can be extracted from that data, using the values highlighted in the matching colors in the figure above.
