Re: he was told there was "no security problem"
If the app is able to reveal data from someone else's session, the fault is de facto in the back end for allowing the data to be sent, possibly implying that they have no proper auth mechanism. It may be in the app as well, but that just illustrates how shit their developers are.