the mTLS part is interesting. they're using it not for security in the traditional sense -- REWE knows what their own app is doing -- but as a fingerprinting mechanism. the client cert is how they distinguish their official app from third-party access. the weak point is that the cert has to live somewhere in the app binary, which is why mitmproxy can intercept it. it's less about encryption and more about making ToS enforcement slightly harder.