I rely on Strong App for daily workout tracking but wanted to avoid platform lock-in and maintain full ownership of my data.
So I reverse-engineered the Strong API behind the app to export and persist my workout history.
In the process, I identified and responsibly disclosed several API vulnerabilities, including a Premium status bypass and an email verification bypass.
In the end I wrote a Rust-based service that fetches the data and stores it in Clickhouse, enabling custom dashboards and visualization via Grafana.