tl;dr
- The Sibylla app uses plain
HTTP
. - Not any verification of email used when logging into the app.
- The Sibylla server stores whether a coupon has been consumed or not for a certain email address.
- The app doesn't use the stored information at the server to decide whether a coupon has been used or not for a certain email.
- The "consumed" value seems to be stored locally in the app.
- Wiping the data/cache in Android's app settings will …