Re: Public wifi?
Certainly no auto-connect, saved password (therefore presumably no password and/or publicly advertised password), hence no useful encryption, public wifi in a public place.
Sure, things should be TLS nowadays for anything important and throw warnings if the intermediate certs are wrong, but even so. Even DNS hijacking is possible over the air on encrypted things and who deploys DNSSEC? And the easiest way to provide a fake cert for a site? Use a fake DNS record to pretend to be "authoritative" for that domain.
Wifi off, no auto-connect (except to your own, secured, trusted networks, I'd say).
To be honest, what kind of prat is trying to pay for a coffee with a phone app? And paying in cash is just as bad in this day and age. NFC payments or a card, people. Stop faffing around with proprietary tech that reinvents a wheel that's been around for over a decade now.
I literally cannot remember the last time I paid for anything in cash. I have precisely £0 and 0p on my person now. Even the pound-coin in the car for the shopping trolley is a fake one.
I have never used a proprietary app in a shop (I have PayPal and Android Pay on my phone for office-biscuit-fund-even-out matters, neither can authorise any payment whatsoever as NFC is off and they both need my password to work).
I haven't even used tap-payments yet.
I just use a card, like I have for the last 20 years.