Chapter 04 - Mobile and backend engineering
A Strava companion whose owner audited his own product like an attacker, found a missing auth layer and IDOR chain, then shipped signed sessions, token encryption, controller security tests, and native-image fixes.
self-audit material located and source checked
native AOT token-encryption key fix merged
live OAuth, device QA, migrations, and revocation remain visible
Thesis
The product combines a Spring Boot backend, native Android, Strava OAuth, AI insight generation, and training surfaces. The stronger engineering signal is that the audit found exploitable trust boundaries, then turned them into token-only sessions, ownership checks, encrypted local/server storage, and regression tests.
Arus L5 ledger ownership lessonThe same lesson appears in Arus: never accept resource ownership from the caller when the server can derive it from the credential boundary.
Security honesty
These rows come from the 2026-06-10 audit material and the source repositories' `origin/main` history. The table only marks an item fixed when a commit, source file, or test file exists.
| Finding | Found | Fixed evidence | Status |
|---|---|---|---|
| Client-trusted athleteId created an IDOR chain | The audit found activity endpoints and Android flows that trusted client-supplied athlete IDs after OAuth. | Backend origin/main includes SessionTokenService, OAuthStateService, ActivityAuthInterceptor, and WebMvcConfig; Android tests require token-only deep links and Authorization headers on backend requests.Source: Backend commit 5af7b0d; android LoginDeepLinkParserTest.kt and ApiServiceTest.kt; evidence SA. | Fixed |
| Plain Strava tokens were stored in database columns | The project stored Strava access and refresh tokens as normal athlete fields before the hardening slice. | EncryptedTokenConverter encrypts non-empty tokens with AES-GCM, permits legacy plaintext reads for migration, and defers key lookup for native AOT processing.Source: Backend merges bd83e9e and b0eff1d; EncryptedTokenConverterTest.java. | Fixed |
| Global mobile search could expose other athletes | The Android client called a global activity search path, and docs described cross-athlete search as a P0 production-readiness risk. | Android now calls the athlete-scoped route, backend search fallback receives athleteId, and tests pin the scoped Retrofit route and fallback behavior.Source: Backend merge bd83e9e; android commit 2b1b491; ActivitySearchServiceTest and ApiServiceTest. | Fixed |
| Malformed webhooks and CSV imports had unsafe failure modes | Webhook shape assumptions could throw, and unknown CSV dates could silently become current timestamps. | Webhook and CSV parsing tests cover safe acknowledgement, deterministic date parsing, and invalid-row skipping.Source: StravaWebhookControllerTest.java and ActivityServiceTest.java on backend origin/main. | Fixed |
Open item
The current boundary is an explicit first-party HMAC session layer. Server-side revocation and a full Spring Security integration remain out of scope.
Source: strava-ai-insights/docs/code_review.mdOpen item
The audit docs record local tests, not a physical-device OAuth walkthrough or live Strava callback proof for this pass.
Source: strava-ai-insights/docs/test_analysis.mdOpen item
Feature docs repeatedly call out Flyway or Liquibase adoption as a follow-up before stronger production rollout claims.
Source: strava-ai-insights/docs/system_analysis.mdOpen item
Mobile no longer uses global search, but backend origin/main still contains a debug search path. Do not claim every diagnostic search surface was deleted.
Source: family-finance/docs/docs/system-analysis/2026-06-11-v01-strava-telegram-case-study-evidence-sa.mdFeature evidence
The Android flow uses the Strava callback to receive a signed session token and stores it in encrypted preferences for API calls.
Source: strava-ai-insights/docs/walkthrough.mdThe backend fetches Strava activities, persists activity rows, creates Gemini quick insight text, and supports Deepseek weekly reasoning reports.
Source: strava-ai-insights/docs/system_analysis.mdRepository docs and tests cover physiology profile, push tokens, daily readiness, workload summary, training plan, weekly digest, and coach chat contracts.
Source: strava-ai-insights/docs/PRD.mdEvidence trail