This is like the fifth article I've read about the McDonald's app not having any sort of server-side validation. How do they keep getting this wrong???
As a contractor who works building apps (and their server backends) for big clients: I don’t give a fuck. I just do the minimum so the app works. The worst that can happen is that the client asks me to fix the flaw later on, for which I will bill more hours.
I can 100% guarantee that’s what happened here.