I'm with Geoff here, I think a private API is a lot more likely. Capture web traffic with Wireshark and see if you can spot how your phone is connecting to the server - the API might be fairly obvious and you can build a quick program to use it. I'd also recommend capturing traffic accessing it through your browser because it can't hurt to have too much information and it might give you clues - e.g. if the captcha is something as simple as posting authenticated=1 as a parameter then this becomes a lot more simple!
Alternatively, reverse engineer the app and look through the code (never actually done this for android apps, but it doesn't seem too hard) :
https://code.google.com/p/android-apktool/