As many other transit authorities, the STM [0] offers "GTFS" data (a standard feed format for transit info) [1].
Mucking around STM's public site, you'll also see the schedule information go by if you inspect the network requests. From what I've seen, their API endpoints are stable, reliable and fast. I've had to do ~2 updates in >1 year of service.
If you use MITMProxy or Charles you can easily intercept the traffic on 99% of all iPhone/Android apps (bit harder if pinned-sertificate). These API’s are often stable because a lot of users don’t update their apps that often.
For newer android apps this is no longer true. By default, apps only trust system CA's. User added System CA's are not trusted by apps. I believe only the browser uses the user added CA's.
It can be crazier than that. App makers who work with important APIs often pin to specific certificates (not signers) so we have an one final absolute emergency measure to kill a version and force an upgrade when we have to.
That is what I refer to as pinned-certificate. Not often used except from some of the biggest companies like Facebook and Snapchat. See my answer on how to go around this.
P.S. does the transit authority offer an API or is this prone to breaking when they change their page layout?
[edit: I just read about the rumor on your webpage. Clarifies.]