Token for App -> backend authentication is generated one time when the user signs up. Sniff it once and you've got access to the user account forever.

Passwords are hashed with one round of SHA1, no salt.

Everything including login data is sent over plain HTTP.

Luckily I got permission to fix that mess