This practice may be illegal in the USA. Two American companies were sanctioned by the FTC in 2014 for making this same error:
FTC Final Orders with Fandango and Credit Karma Provide Guidance on Mobile App Security
So no HTTPS connections should be possible through the proxy.
Here's the app:
Sending test credentials:
Harvesting them from Burp via MITM attack:
Here's the Toyota Privacy Policy, which claims to use "secure socket layer."
Here's the app:
I configured a profile with personally identifiable information:
And the app sent them over the Internet insecurely:
In another part of the app, I entered my current address:
Which was also sent over the Internet insecurely: