You are right on locally storing the latest state on balances.
Due to untrustworthy network, Alice could miss signed message either purposely or unwillingly (under manipulation), but what matters is that only when Alice receive a valid signature with updated states/balances (that she could compared with her locally stored last state), only then will she conceive the payment as secure and offer service to Bob/sender. In case of interrupted/corrupted message delivery, Alice could ask Bob to signed again with the same “updated states”. No one can double-spend the money.
In terms of http connection, the “payment” is just a signed message, shouldn’t be a problem if they have a smartphone and a normal messaging app for simplicity~