… and the chair of a ‘cyber’ security programme at that!
Given she used the app and not even a browser, it’s not like even a DNS spoof could work here, redirecting to non-TLS spoofed servers, as the app should look for signed DNS for its upstream API and reject anything else.