Bugs found in Playbook: Workout, Fitness App for Android
Playbook is a digital platform that caters to the needs of fitness, wellness, and sports content creators and their communities by providing a streamlined way to share and monetize their training content. The Playbook is available via web browsing and an Android app.
Playbook allows creators to form paid subscription models, initiate private discussion threads, and update their feeds with unique content. It enables users to connect with their favorite internet personalities, access exclusive content, and participate in a highly engaged, monetized community. Premium features include access to wellness guides, daily workouts, programs, challenges, live-streaming classes, and other valuable options.
The QAwerk team studied the Playbook app as part of our Bug Crawl project and discovered a few areas that needed improvement, and we would like to share our findings.
Users can gain unlimited free access to sessions using 'Gift a Friend' feature
Severity:
Major
Precondition:
Ensure that the app is installed.
Steps to Reproduce:
- Log in using a new account.
- Move to ‘Judd Lienhard/mass method challenge/week 1 day 2’.
- Tap on the ‘Gift a Friend’ button and duplicate the link.
- Log in to another account using the same email but with an extra “+code” suffix.
- Open the copied link to gain access to the session.
- Switch to ‘Judd Lienhard/mass method challenge/week 1 day 3’ in the second account, share the link.
- Return to the first account and access the session using the recently shared link.
- Repeat these steps for ‘Judd Lienhard/mass method challenge/week 1 day 4’.
Environment:
Poco F4, Android 13
Actual Result:
Both accounts have unlimited free access to three different sessions via the ‘Gift a Friend’ feature.
Expected Result:
The ‘Gift a Friend’ feature should only authorize limited access to shared sessions to circumvent unlimited free access.
Switching accounts does not clear gifted sessions
Severity:
Major
Precondition:
The app is installed on the device.
Steps to Reproduce:
- Log into an account containing gifted sessions.
- Log out of this account.
- Log into a new, previously unused account.
- Verify the session availability in the new account.
Environment:
Poco F4, Android 13
Actual Result:
The gifted sessions from the initial account are accessible in the newly switched account.
Expected Result:
The gifted sessions should not be accessible once an account is switched.
Redirection of 'Become a Creator' button on Android app incorrectly leads to Apple App Store
Severity:
Minor
Precondition:
- The app must be installed.
- The user must be logged into their account.
Steps to Reproduce:
- Open the app.
- Navigate to the ‘Account’ tab.
- Tap on the ‘Become a Creator’ button.
Environment:
Poco F4, Android 13
Actual Result:
Upon tapping on the ‘Become a Creator’ button, the user is redirected to the Apple App Store instead of an appropriate platform for Android users.
Expected Result:
The ‘Become a Creator’ button should lead the user to a relevant page within the Android app or a suitable Android-compatible destination.
After testing the Playbook app, I identified two critical bugs that can help users bypass the paywall and several visual and UI inconsistencies. I recommend developers optimize UI experiences and pay attention to the critical paywall issue, which could significantly impact the app's security.
