This sort of things happens a lot. A few years ago a British bus company put certificates in the app to sign tickets.

The HSBC UK app will not run if you have any apps installed from outside play store. I cannot log into the website without the app. Luckily all I have with them is a lightly used credit card with a low limit so I have just stopped using it and rely on paper statement.

I find it disturbing that any app can examine your device in this much detail.

Well, they're also an app that relies (at least on Android) on Google's Play Integrity DRM to "keep it safe" from those pesky root users. And like clockwork, this false sense of security leads developers into stupidly trusting the client.

As a contractor who works building apps (and their server backends) for big clients: I don’t give a fuck. I just do the minimum so the app works. The worst that can happen is that the client asks me to fix the flaw later on, for which I will bill more hours.

I can 100% guarantee that’s what happened here.

More importantly, why would anyone care? Is this some 5th dimensional chess marketing strategy by McDonald's? I hear more about their app these days than ever, and more than about any other security issue anywhere else.

McDonalds has historically not put an emphasis on security, imo it's just that simple.

Is there anything you know about McDonalds as an entity that would lead you to believe they know about, or would prioritize, building a secure app?

Honestly, it’s amazing it’s not worse!