[HN Gopher] Getting my library cards onto my phone the hard way
___________________________________________________________________
Getting my library cards onto my phone the hard way
Author : alex_hirner
Score : 168 points
Date : 2023-10-28 15:26 UTC (7 hours ago)
(HTM) web link (iliana.fyi)
(TXT) w3m dump (iliana.fyi)
| amluto wrote:
| > for some reason, passes are cryptographically signed, and they
| have to be signed with a key known to one of Apple's certificate
| authorities. Cryptographically signing these files makes some
| sense when you consider that passes were designed to get
| automatic updates from their vendors; for example, your boarding
| pass for a flight reflecting gate changes or changing your seat
| assignment.
|
| How does this make sense? There's a perfectly well supported
| system for doing this: HTTPS.
|
| Maybe Apple wants passes to be verifiable by the phone offline
| instead of just when updated? This still seems silly -- a
| malicious actor could _replace_ a pass instead of updating it.
| robryk wrote:
| Having the initial pass specify the public key that it accepts
| for updates would be sufficient. Having an association with an
| Apple developer account doesn't help for the updates problem at
| all AFAICT.
|
| The only reason I came up with for the blessed-by-Apple
| requirement I came up with is selling fake tickets. There is no
| way to tell (with or without that requirement) whether a pkpass
| file with a "ticket to concert X" is actually legit. So, one
| can try to combat the (potential?) problem by responding to
| complaints of fraud by revoking the corresponding developer's
| account. However, that doesn't seem like a solution either:
| developer account are probably way cheaper than how much you
| can gain on fraud before you get caught in that way.
| lxgr wrote:
| Yeah, I also found the justifications for Apple requiring
| passes to be signed pretty vague. Locking things down is just
| the default for Apple; it's usually only in later iterations
| that they open up integrations to the broader ecosystem.
|
| On the face of it, it's really weird to require passes to be
| signed: I can always just store a PNG or PDF showing the same
| bar code in my photo library or files app and present that.
| Imagine iOS only displaying signed PDFs!
| nash wrote:
| So.. I just added my card to Stocard and used it a King County.
| Took 2 minutes, on my phone, synced across devices.
|
| Or yeah, you could do it that way I guess.
| gumby wrote:
| This eliminates the need for multiple wallets. Plus it's a fun
| hack.
|
| Stocard addresses a different point in the design space.
| yftsui wrote:
| If you are using an app for it, King County Library app already
| has the barcode anyway...
| k8svet wrote:
| Oooh, now do Orca cards next. Seattle is one of the tech capitals
| of the United States, and on top of the metro system just being
| not great, it's also technically inferior to nearly every single
| other major city that I've used public transit. Pick any European
| city, CDMX, Denver. They're all light years ahead of Seattle.
| Denver might have been my favorite.
|
| Fun fact, one of the orgs that runs Orca actually wrote a blog
| post mentioning they were adding NFC support to their Android app
| (with some absurdly long timeline). That post is no longer to be
| found, and of course, years later, that functionality is absent.
| organsnyder wrote:
| My local transit system just added tap-to-pay that works with
| any credit card (or Apple/Google Pay etc.). As long as you use
| the same card it handles transfers, multi-day passes, etc.
| seamlessly as well--it will automatically ensure you're getting
| the correct rate (e.g. no charge for passes or rides after a
| certain number within a certain period).
| snazz wrote:
| This is how it works in London and I think New York as well
| now. Big upgrade over loading money on a card.
| fotta wrote:
| Clipper-accepting agencies in the SF Bay Area will have
| this next summer too.
| monksy wrote:
| This system really sucks because you can't just slide your
| wallet over the reader. It'll pick up your cc before your
| transit pass.
|
| The move to do tap based transit with cc s is pretty stupid
| as that cc s get replace far more frequently than transit
| cards. The only person this really benefits is new users to
| the system that haven't figured out how to get a transit card
| yet.
| skykooler wrote:
| This sort of system is really nice for visitors, tourists
| etc., though.
| ghaff wrote:
| For a city you don't visit often--especially if you're
| going to a bunch of cities on the trip--dealing with
| transit apps/cards/etc. that are specific to the city is
| a royal pain. I'm fine if it's a city I visit regularly--
| I have an Oyster card for London that I've had for a
| number of years. In general, though, I'd rather default
| to using a credit card.
| gumby wrote:
| Transit card is simply another thing to haul out, manage
| etc. What advantage does it have over a cc?
|
| Also with it baked into your card you don't have to pull
| anything out since your phone is almost always at hand.
| LeafItAlone wrote:
| > as that cc s get replace far more frequently than transit
| cards. The only person this really benefits is new users to
| the system that haven't figured out how to get a transit
| card yet.
|
| I respectfully disagree. I've lost more transit cards than
| credit cards. And since the tap-to-pay on credit card also
| works with Apple Pay and Apple has the ability to choose
| which card to apply transit charges to, it gets the same
| one every time. I have found the new system to be
| preferred. Plus, if every system implemented this, it makes
| it easier to travel and not worry about loading up a
| transit card that then loses its value (I have a few in my
| drawers from cities I've visited once).
| lxgr wrote:
| > The only person this really benefits is new users to the
| system that haven't figured out how to get a transit card
| yet.
|
| In many transit systems, that's millions of people per
| year: Tourists, occasional riders that would just forget
| the pass at home if they're not using it regularly etc.
|
| > This system really sucks because you can't just slide
| your wallet over the reader. It'll pick up your cc before
| your transit pass.
|
| There's theoretically ways to preferentially pick a given
| type of card, but it's quite hard and unreliable to
| implement, so I guess that rather than promising something
| they can't reliably deliver (and slowing things down in the
| process), transit systems just pick the first card.
|
| It is slightly inconvenient for transit-pass-only users,
| but I do also see the huge benefits for the transit system
| and its users in aggregate.
| vermilingua wrote:
| My only gripe with this mode (with Opal in Sydney) is that
| you don't get the trip fare displayed on the gate when you
| pay with a payment card. I imagine this is a technical
| limitation (Opal stores trip detais on-card, which it can't
| do with a payment card), and is a low priority anyway (as you
| don't need to know when to top up a payment card) but would
| be nice to have.
| Kye wrote:
| I wonder how much it costs to maintain a system to collect
| fares compared the small portion of funding most transit
| systems would lose from going fare free.
| piperswe wrote:
| Going fare free would induce demand which would increase
| operating costs, so it's not that simple.
| Analemma_ wrote:
| The other thing about going fare-free-- which people don't
| like to discuss but it is a real effect which has been
| measured-- is that it causes much more anti-social behavior
| on the bus, which decreases ridership among people who have
| only a slight preference for transit versus just driving
| their car. This not only makes traffic worse (which kinda
| defeats the whole purpose), it also tanks political support
| for transit, since fewer voters are using it and then they
| see no point in supporting it.
| Kye wrote:
| Can you point to where you found this measurement? This
| is the first I've heard of it.
| dmoy wrote:
| I first heard of it from the transit union here in
| Seattle when they axed the downtown free bus zone like 10
| years ago. There was some vague mention of the bus
| drivers in ... somewhere in Texas... like 30 years before
| that.
|
| Beyond that I haven't heard much of it because as I
| understand it, there isn't much free transit anywhere
| big.
| fyrn_ wrote:
| Citation needed for that causes anti social behavior
| claim!
| bobthepanda wrote:
| Depending on the agency it's not very small.
|
| New York MTA has a farebox recovery of about 40-50% in any
| given year, and few people or organizations could stomach a
| pay cut of half without serious damage.
| _huayra_ wrote:
| Google Wallet will soon support this (from a few days ago):
| https://blog.google/products/google-pay/commute-around-the-w...
|
| edit: linking to Google's blog directly
| gattilorenz wrote:
| Related: isn't there a way to "clone" an NFC card using
| (rooted) Android?
|
| I have been looking into how feasible it could be doing so on
| iOS since my office door opens via an NFC card, but iirc Apple
| has a tighter grip on the NFC hardware than with general
| PassKit, meaning that a regular app can't do that.
| jackson1442 wrote:
| Kinda. NFC is a broad spectrum of protocols. For example the
| old blue Orca cards are MiFare DESFire cards which actually
| store the card's value in the card's internal chip- this type
| (while having some flaws) cannot easily be copied onto a
| phone.
|
| A simple NFC tag with binary data is trivial to copy though.
| lxgr wrote:
| Only very old systems, or those where the cost of the tag has
| to be as low as possible (e.g. for single-ride throwaway
| paper tickets), use unauthenticated bearer tokens.
|
| Access control systems these days usually do not, for obvious
| reasons.
| konaraddi wrote:
| https://info.myorca.com/news/can-i-use-my-phone-to-pay-for-a...
|
| Tap to pay coming to orca in 2023, they've got ~2 months left
| for it to be true
|
| I'm optimistic because google recently put out a post that
| google wallet will support ORCA soon (as shared by another
| commenter)
| fyrn_ wrote:
| https://info.myorca.com/news/can-i-use-my-phone-to-pay-for-a...
|
| The post still exists, but no updates since then
| besthknow wrote:
| Best transit card I have used has been in HK. The value on the
| card can be used in small shops around the city up to $150
| dollars.
| js2 wrote:
| So wait: you don't want to pay Apple $99 and you don't want to
| pay for one of the apps that generates a pass for you, but you'll
| extract the cert from one of those apps thereby piggybacking on
| another developer's $99 payment to Apple.
|
| That's uncool.
|
| On a slightly related note: a site I login to regularly uses
| Semantic VIP Access for 2FA. You can convert these to standard
| TOTP codes so that you can load them into the Apple Keychain or
| whatever other TOTP program you prefer:
|
| https://github.com/dlenski/python-vipaccess
| circuit10 wrote:
| I think if you are locked out from doing what you want on your
| phone that you bought through arbitrary software locks then you
| should have the right to bypass that. This isn't costing the
| app developer anything, nor were they even using the app to
| generate the pass, so I don't really see any issue here
| js2 wrote:
| It's taking advantage of another developer's $99 payment. I
| just took a look at one of these apps and the in-app purchase
| to remove ads is $1.99. I think if I did this I'd throw that
| developer the 2 bucks.
|
| Sort of like when you bum a ride from someone, even though
| it's not costing them anything, it's good form to offer to
| split the cost of gasoline.
| circuit10 wrote:
| It would be nice to do that but I don't think this is some
| horribly immoral thing either
| saagarjha wrote:
| Look I'll generate and give you a certificate for free if
| you want one.
| js2 wrote:
| I'd pay Apple $99 before I asked another developer to do
| that for me, probably putting their agreement with Apple
| at risk.
|
| Taking a principled stance against Apple is fine. I'm
| totally onboard with that. I only think it's uncool to
| take that stance and then use another developer's cert
| without their permission. Even though it's unlikely, it
| can only harm that other developer.
|
| Based on all the downvotes HN seems to disagree, but I
| don't see what's so unreasonable about my position.
| tzs wrote:
| > But having the barcode is far more convenient, and I'd like to
| have it without having to keep yet another plastic card I rarely
| use in my wallet.
|
| > So I put it on my phone, in my iPhone's Wallet app
|
| Another option would be to literally put the barcode _on_ the
| phone.
|
| Print it on a small piece of paper, about 15mm wide, and tape it
| to the back of the phone with some transparent tape.
| js2 wrote:
| Or take a picture of card and store it in a note. I do this for
| things like my insurance cards, driver license, etc.
| dkurth wrote:
| I solved this problem by taking a photograph of my library card.
| To check out a book, I load the picture and hold it up to the
| scanner.
| wandermatt wrote:
| I added an image of my barcode to a location based reminder, so
| it pops up in a notification when I go to my local library.
| clintfred wrote:
| That's amazing. Truly. I'm assuming you're on iPhone. Anyone
| know if there is a way to do this in Android?
| gattilorenz wrote:
| If you use Google Keep for the note, it's easy to do
| mksybr wrote:
| https://tasks.org/docs/location/
| throwaway742 wrote:
| Tasker
| tantalor wrote:
| https://support.google.com/keep/answer/3187168
|
| > You can set reminders to go off at a certain time or
| place
| yumraj wrote:
| How do you do that, on iOS?
| iLoveOncall wrote:
| Check the official Shortcuts app.
| wenc wrote:
| This is a brilliant and simple solution. If it's a static
| barcode, a photo is all that is needed.
|
| There's little advantage to having it in the wallet.
|
| I store all my IDs in a Photo Album on my phone.
| x0ul wrote:
| This is a great hack to get custom passes/codes into the wallet,
| and I'm glad the author wrote it up. I may end up doing this
| myself. That shell script to generate a bmp was wild.
| dividuum wrote:
| Pass4wallet is a nice app for that, if you're ok with your pass
| data being (according to their privacy policy) sent to their
| server, signed and then deleted.
| jeffgreco wrote:
| I did this just last week with my Chicago Public Library card
| and Pass4wallet and it's great, even though CPL scanners still
| can't scan screen codes.
| smithza wrote:
| I came here looking for this. The write-up is interesting for a
| deep dive in Apple interfacing... obviously though is too
| involved for a simple library card. Thanks.
| desro wrote:
| This is a really great write up, very clear and easy to follow.
| Was very impressed at your pure bash barcode generator. I'm eager
| to try this out on my own library card!
| inasio wrote:
| I expected something more like squeezing the cards with NIF
| lasers (and alchemy) into diamond lattices encoding the
| information and then hacking it alongside phone storage
| gumby wrote:
| Wasn't that already posted on HN a couple of weeks ago? :-)
| somat wrote:
| Only slightly related but my preferred way to generate barcodes
| is the barcode writer in pure postcsript.
|
| https://bwipp.terryburton.co.uk/
| x0ul wrote:
| Thanks for posting, I've never seen this before and it's
| absolutely fantastic
| teddyh wrote:
| I use GNU Barcode: <https://www.gnu.org/software/barcode/>
| mherdeg wrote:
| Gosh. I just emailed myself a .png of the barcode containing my
| library card number and open it in, like, the Photos or Gmail app
| when I'm at the kiosk.
| phyzome wrote:
| They _did_ specify that this was the hard way. :-)
| electrondood wrote:
| This is indeed the hard way.
|
| I just used Stocard to scan my library card barcodes. Done.
| cglong wrote:
| This was a great blogpost, but then ends with:
|
| > I will note that I have not yet tested this pass in a real
| library yet
|
| I get this project was mostly for fun, but why not spend the 10
| minutes it takes to test the final solution before sharing your
| work?
| skykooler wrote:
| Library might not be open on a Saturday?
| MollyRealized wrote:
| Yes, that kind of ruined the entire article for me. "I have
| this great scientific theory about oxygen loss during running.
| I will admit, I have not actually started jogging yet, but ...
| "
| lxgr wrote:
| I mean, it's ultimately a bunch of pixels representing a
| barcode to be scanned. As long as it displays correctly, what
| could go wrong?
| Ayesh wrote:
| Those cheap laser "1D" bar code scanners cannot read off a screen
| (except maybe eInk). It sucks because the supermarkets I frequent
| have their loyalty cards based off barcodes. Fortunately, barcode
| readers emulate keyboards so you can just type the code on a
| keyboard.
| samtho wrote:
| I made a cheap barcode display-er with a Bluetooth MCU and an
| E-ink display, that works for all 1D only barcode scanners.
| lxgr wrote:
| That's really neat! Real-life Doctor Who psychic paper,
| basically :)
| lxgr wrote:
| As far as I understand, that's because older systems don't use
| a digital image sensor to scan these, but rather a rotating
| laser beam and a simple photo diode registering the variations
| in brightness caused by varying reflections of the laser beam
| by the white and black parts of the barcode.
|
| A camera-based scanner doesn't care where the illumination of
| the barcode is coming from (i.e. ambient light, its own LED
| illuminating a piece of paper, or an active backlit screen);
| that laser-based system is purely based on its own reflected
| light, though, and won't work with actively backlit screens at
| all. (I wonder if it works with e-ink or passive LCD displays!)
| karaterobot wrote:
| > Our local libraries, The Seattle Public Library and the King
| County Library System, issue pieces of plastic with barcodes
| printed on the back assigned to your borrower account.
|
| I just memorized my account number for KCLS. It should take maybe
| 30 seconds to commit it to memory--though your mileage may vary,
| I have to believe it's faster than this. After that, you just
| type in the account number instead of scanning the bar code, and
| probably do it in less time than it takes to get your phone
| ready. I don't know if SPL works the same way, as I'm not in
| Seattle.
| wging wrote:
| If you don't feel like memorizing it, you could also store it
| on your phone in your password manager of choice.
| folmar wrote:
| Do it the 1990s way, just add it to the phone book.
| Scoundreller wrote:
| Used to do that for alarm codes for different locations I
| worked at and the last 4 numbers would be the code.
|
| Mr John Springfield - xxx-xxx-1234
|
| Mr John Madison - xxx-xxx-5309
|
| Etc etc
| rhplus wrote:
| Stocard app worked for me. Simple and has an Apple Watch app to
| boot.
|
| https://stocardapp.com/
| nehal3m wrote:
| Yup, I use this too for all my loyalty cards. Works a treat,
| also brightens the display when you have a barcode up.
| samtho wrote:
| I really love barcodes and barcode symbology for reasons I cannot
| fully explain. I even wore the npm module named 'barcode' which I
| desperately need to update.
|
| Fun fact about codabar, it is among the only barcode symbologies
| that can be implemented completely as a plain font.
| tonyedgecombe wrote:
| 2 of 5 can be as well (but not the interleaved version).
| lxgr wrote:
| Interesting, why is that? Due to character boundaries and
| encoded-character-as-symbol boundaries not overlapping for the
| other codes?
|
| And do you know if that was a conscious design choice?
| underseacables wrote:
| My library card and a lot of other barcoded cards that I use are
| stored in an app called Key Ring. It works really well.
| ajot wrote:
| For anyone wanting to do something like this on an Android phone,
| there is Catima (on Google Play and FDroid), which supports many
| types of barcodes.
|
| https://catima.app/
___________________________________________________________________
(page generated 2023-10-28 23:00 UTC)