Seems they may have patched the site, still waiting for a fix for the app. I'll keep checking, for now the previous advice remains. Do not use the app until they at the very minimum, enforce SSL.

On a side note, can the devs explain why they are using a hard coded IP?  If the IP tomorrow is not available, all installed apps become useless? Many users have no idea how to update apps, so, saying you'll force an update is not an option.

On Monday, February 9, 2015, Allan O. via skunkworks <skunkworks@lists.my.co.ke> wrote:

Looks like they've taken measures to resolve those issues? 

On Sat, Feb 7, 2015 at 3:23 PM, John K. via skunkworks <skunkworks@lists.my.co.ke> wrote:

Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched. 

And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.

_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke

_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke