[bitexploder]

You would have to tear apart the Android app itself. If it isn't obfuscated, it usually comes out pretty clean. Depends on how they implement things from there, but you could in theory reconstruct all their calls to their backend from the code. If they have an API/HTTP client that wraps it up nicely it often simplifies this chore from a static analysis perspective.

You can still use MiTM HTTP proxies pretty easily. If they don't pin certificates it is trivial. If they do pin certificates you have to understand how they are doing it and break that. Often trivial to easy, but requires an app-specific approach.

We haven't met an Android or iOS app using HTTPS that we could not MiTM yet. Usually without a lot of effort. Some times with a small to moderate amount of effort (a couple hours to a day of poking the app/code/certs).