Decompiled the cocacola QuickTap app to see how it worked. 8f4a38321179f79eca3301a63dd66455 * TL;DR it’s all remotely federated, there’s zero chance for free drinks unless you’re comfortable either (a) fuzzing coke servers for vulnerabilities, or maybe (b) sniffing other people’s requests and ordering on their account. A physical QR code scan (zxing) is used to set location, and then the phone makes http requests to the coke server to remotely initiate vending.
Read more