This is such a serious security flaw that the FTC punished Fandango and Credit Karma for doing the same thing in 2014.
I re-tested the app in 2015 and it was still vulnerable. I notified the vendor again and they replied on Twitter, saying that they are not legally required to use SSL properly under HIPAA. I tested the newest version, 5.9.9.54, updated October 26, 2016, on December 21, 2016. It's still vulnerable. GenieMD clearly doesn't care at all.
They both still have this flaw, as shown below.
Drag the screen to the left to see the second page of apps.
Click Settings.
In Settings, click Wi-Fi.
Click and hold WiredSSID until a box pops up.
Click on "Modify network".
Check the "Show advanced options" box and select None from the Proxy Settings menu.
Then click Save.
I was able to download the APK file from the Internet and install the app that way. You could do that, but the simplest way to proceed with the project is to download an older version from the link below, and drag it onto the Genymotion Android device:
Install any version of the app.
Drag the screen to the left to see the second page of apps.
Click Settings.
In Settings, click Wi-Fi.
Click and hold WiredSSID until a box pops up.
Click on "Modify network".
Check the "Show advanced options" box and select Manual from the Proxy Settings menu.
Enter your host machine's IP address in the "Proxy hostname" field, and 8080 in the "proxy port" field, as shown below.
Then click Save.
Click "Sign in" and enter test credentials:
The credentials appear in Burp, as shown below:
If you have been doing these projects in order, this is not a security problem, because you have the PortSwigger certificate installed--your Android device has been told to trust Burp.
The login process hung up, saying "the request is taking too long" when I tested the newest version of GenieMD, but that didn't protect the user, because the password was sent first.
In Burp, on the Proxy tab, on the "HTTP history" sub-tab, right-click any entry and click "Clear history". Click Yes.
Scroll down and click Security.
Scroll to the bottom and click "Clear credentials".
Click OK.
Open google.com.
You should see an error message, as shown below.
No valid HTTPS connections can be made from your device now.
Click "My GenieMD". Click "LOG IN". Click "Email".
Click "Sign in". Attempt to log in with test credentials including your name, as shown below.
The username and password appears in Burp:
This is a big problem--the MITM attack is allowed. GenieMD exposes its users to this attack, because they don't bother to validate SSL certificates.
Save a full-desktop image. On a Mac, press Shift+Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
Save the image with the filename "YOUR NAME Proj 5", replacing "YOUR NAME" with your real name.