Even before the open app came along, people found enormous security holes in the system, because they were essentially operating with security-by-obscurity. It was super embarrassing for the city, they had to close the system for days while fixing it.
The official system has a mobile app, where it takes effort to figure out the API, and a SPA web app, where it is absolutely trivial to see which endpoints it is hitting and how.
And the ridiculousness of the city's defense that it's not open is made greater by the fact that if they had made an open API from the start, security should have been baked in from the start, which means they would have avoided embarrassing security incidents along the way. They already have all the components needed for a proper, public API. They're so close, and yet they're insisting that it's private, and that it's illegal to access their private API.
The official system has a mobile app, where it takes effort to figure out the API, and a SPA web app, where it is absolutely trivial to see which endpoints it is hitting and how.
And the ridiculousness of the city's defense that it's not open is made greater by the fact that if they had made an open API from the start, security should have been baked in from the start, which means they would have avoided embarrassing security incidents along the way. They already have all the components needed for a proper, public API. They're so close, and yet they're insisting that it's private, and that it's illegal to access their private API.