I can't quite decide whether hiding the stupid with SSL would be a good thing or not.
If done properly (incl. pinned cert(s)), it would mostly hide the stupid, which would help protect users - but also make it less likely that users would ever know just how bad the app is.
Why do they not use SSL? Every mobile app should use SSL to communicate with their API. Apple should look into making this a developer guideline (i.e. reject apps that break it).
Sadly, I suspect this is a case of developer neglect and laziness. I'd imagine what has happened here is the developer has serialised the entirety of a User model, rather than carefully only exposing properties required by the client.
Hopefully this will act as a cautionary tale for anyone designing an API.
Certainly they're serializing the entire user, and I'm guessing they just figured, "let the client sort it out." In other words, a lack of backend chops that would establish proximity and age (per examples in the blog post) based on the request and the user requesting the data.
