I believe 3DES is just being used for obfuscation? If they used the latest cipher and gave each user per-session keys then a reverse engineer could still access the data since the app itself must have the key to read the data.
re: big red, the sensitive traffic (but not all sadly), is communicated over HTTPS which should already protect you from eavesdroppers. My understanding is that the use of 3DES is just another layer of obfuscation to make it harder to abuse their app's private web APIs even if someone used a self-signed cert to MITM HTTPS. It's HTTPS that should be protecting your data in transit.
Basically I think this is a big nothing burger but would love to understand why I'm wrong. Though poor use of encryption certainly doesn't give me positive vibes on the developers.
re: big red, the sensitive traffic (but not all sadly), is communicated over HTTPS which should already protect you from eavesdroppers. My understanding is that the use of 3DES is just another layer of obfuscation to make it harder to abuse their app's private web APIs even if someone used a self-signed cert to MITM HTTPS. It's HTTPS that should be protecting your data in transit.
Basically I think this is a big nothing burger but would love to understand why I'm wrong. Though poor use of encryption certainly doesn't give me positive vibes on the developers.