I don't know about iOS, but at least on Android it's easy to decompile Java. Variable names aren't going to be the same, so you won't see the deliberate intent as you see here, but you'd still see that the number was randomly generated.
Now, if they generated the value server-side then we'd really never know, whether it's a mobile app or a web page... not that I want to give scumbags ideas, but this is pretty obvious.
Why is that? You can easily look at the requests and see where the numbers are coming from. It's not as easy as right clicking in the browser but if it would be a normal Desktop app it would also not work like that.
