API traffic analysis reveals that the balance check endpoint returns all account numbers associated with the user, not just the requested account Local data storage analysis finds that the app caches ...