You have to trust the organization, same as always. If your bank/credit union doesn't use https in their app, they probably don't have a secure infrastructure period.<p>If the organization you're dealing with is incompetent, it doesn't matter if you communicate with https, carrier pigeon, or face-to-face. They'll still leave things open at some point and you'll get screwed.<p>And, as heinrichf points out, you can MITM and name-and-shame individual apps if you're technical.
A friend wrote a really nice blog post about this in 2013. It's always felt like the white elephant in the room of iOS apps.<p>"WebViews Are Not To Be Trusted" <a href="https://web.archive.org/web/20140213214723/http://matthodges.com/2013/09/webviews-are-not-to-be-trusted/" rel="nofollow">https://web.archive.org/web/20140213214723/http://matthodges...</a>
You can redirect the traffic of your device through a proxy and sniff it (e.g. <a href="https://mitmproxy.org/" rel="nofollow">https://mitmproxy.org/</a>) to determine if an app uses https or not, and furthermore if it performs certificate pinning.
A similar problem is that many apps ask me to log in with my Facebook password. With a browser I can see that my password is being sent directly to Facebook but with an app, who knows?