once you have been authenticated, the app uses the site url returned by the webservice core_get_siteinfo
If in your config.php your $CFG->wwwroot starts by "http://" the app will use that protocol for further requests.
I suspect that your site is under a load balancer/firewall of something similar that adds the SSL layer to your requests but in your settings you have a wwwroot under http (not https)
Am I right? If not, can I have a demo/test user in order to check what is happening (you can email me at: juan AT moodle.com )