> They can’t have robust DRM on their tickets if those tickets can still be viewed offline.
Of course they can. All they need is a secret key embedded somewhere that the app can access but you can't. It's just a happy circumstance that they used a simple protocol in which the key is easily extracted. But they could have used a proper PKI protocol instead, which would have made it much harder, if not impossible, to hack.
If the app can access it (offline, on your device), then what stops a developer from using tools to extract the token from the device, either from wherever it's stored in memory or using an interactive debugger to extract it as the app requests it?
Of course they can. All they need is a secret key embedded somewhere that the app can access but you can't. It's just a happy circumstance that they used a simple protocol in which the key is easily extracted. But they could have used a proper PKI protocol instead, which would have made it much harder, if not impossible, to hack.