[restingrobot]

>The bottom line is, there's no reason to request the non-HTTPS connection in the first place.

The example I gave wasn't to excuse the issue, it was to maybe explain why the fix is taking so long.

> And there's apparently no checks in the app to make sure it's connected to their real server.

I don't think you can make that statement. The description of the issue only attempts to hi-jack the session, he didn't actually try to do anything with it. There may very well be checks in place.