At the very least, do POST instead of GET, so the password doesn’t end up in the url. It’s a little too obvious that way. I assume Arduino can handle a POST.
In any case the ‘correct’ way to do http is that GET only allows getting data, but POST/PUT/DELETE etc performs operations (like turning a valve on).
Overall the protocol OpenSprinkler is using is a little “weird” and not really following the typical REST patterns. It’s definitely the first time I’ve seen the need for bit-wise operators to parse input/output. I assume this is to save the amount of data being sent, but I doubt that extreme compression is worth it over just doing some normal obvious spelled-out set of JSON operators.
Btw… I get you can fix the password issue in the apps. It still needs fixing on the device itself, since it’s built-in webpages doesn’t properly encode parameters either.