We've been steadily increasing our HTTPS coverage--Instagram Direct, for example, which we launched in late 2013, is 100% HTTPS. For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we're actively working on rolling out HTTPS while making sure we don't regress on performance, stability, and user experience. This is a project we're hoping to complete soon, and we'll share our experiences in our eng blog so other companies can learn from it as well.
This issue has been reported some already so unfortunately cannot reward you, instagram is working to get https for all endpoints. Its a pretty high barrier to exploitation to already sniffing someones traffic however.
And here I am sitting in the Apple Store around the corner from my apartment watching various cookies whizz past my screen.
I don't agree the barrier to exploit is high. All it takes is one sufficiently skilled person to release a tool so simple even a script kiddie can use it. At that point Pandora's Box has been blown apart. The obvious precedent for this is Firesheep (now sadly not functional) from back in 2010.
And that's why this was made :-)... http://en.wikipedia.org/wiki/Firesheep
Maybe you should contribute instagram-sniffing to it :) https://github.com/codebutler/firesheep