This practice may be illegal in the USA. Two American companies were sanctioned by the FTC in 2014 for making this same error:
FTC Final Orders with Fandango and Credit Karma Provide Guidance on Mobile App Security
So no HTTPS connections should be possible through the proxy.
Here's the app:
When the the user signs in:
Data can be stolen by a man-in-the-middle, because the SSL certificate validation is not performed.
The data are not sent in plaintext, but in two fields: "property_iv" and "LoginInfo". These are the IV and ciphertext for AES encryption.
The AES key is hard-coded into the application, as shown below.
A few lines of Python suffice to decrypt the user's credentials.