If you deploy in the Mendix Cloud, you are connecting over https: the Mendix cloud does not allow http connections. This prevents man-in-the-middle attacks. Furthermore, since the connection is encrypted, packet sniffing on the network can't be done (well, you can sniff the packets, but you can't decrypt them). I would be suspicious, although intrigued, by a pentester who made those claims and I would double check his claims.
Furthermore, since I would classify this as a security risk, I would escalate this to Mendix and let them solve it, instead of looking for advice on the forums.
There is a SSL certificate checker for PhoneGap.
I can try to implement this.