So no HTTPS connections should be possible through the proxy.
Here's the app:
Sending test credentials:
Harvesting them from Burp via MITM attack:
Hotwire uses a defense I haven't seen before: they claim Android itself is at fault.
As demonstrated at the very top of this page, the default browser doesn't have this problem, so it's clearly not caused by Android.
I regard this as all the vendor response I am likely to get, so there's no point in delaying public disclosure any longer.
Later I got this message from Qualys: