I wondered the same until the section near the end of the article that mentions that the app creator's email address and password were left unsecured leaving his admin panel exposed.

Seems to me if this was deliberate that the creator would have gone to greater lengths to protect themselves.