[HN Gopher] Getting my library cards onto my phone the hard way ___________________________________________________________________ Getting my library cards onto my phone the hard way Author : alex_hirner Score : 168 points Date : 2023-10-28 15:26 UTC (7 hours ago) (HTM) web link (iliana.fyi) (TXT) w3m dump (iliana.fyi) | amluto wrote: | > for some reason, passes are cryptographically signed, and they | have to be signed with a key known to one of Apple's certificate | authorities. Cryptographically signing these files makes some | sense when you consider that passes were designed to get | automatic updates from their vendors; for example, your boarding | pass for a flight reflecting gate changes or changing your seat | assignment. | | How does this make sense? There's a perfectly well supported | system for doing this: HTTPS. | | Maybe Apple wants passes to be verifiable by the phone offline | instead of just when updated? This still seems silly -- a | malicious actor could _replace_ a pass instead of updating it. | robryk wrote: | Having the initial pass specify the public key that it accepts | for updates would be sufficient. Having an association with an | Apple developer account doesn't help for the updates problem at | all AFAICT. | | The only reason I came up with for the blessed-by-Apple | requirement I came up with is selling fake tickets. There is no | way to tell (with or without that requirement) whether a pkpass | file with a "ticket to concert X" is actually legit. So, one | can try to combat the (potential?) problem by responding to | complaints of fraud by revoking the corresponding developer's | account. However, that doesn't seem like a solution either: | developer account are probably way cheaper than how much you | can gain on fraud before you get caught in that way. | lxgr wrote: | Yeah, I also found the justifications for Apple requiring | passes to be signed pretty vague. Locking things down is just | the default for Apple; it's usually only in later iterations | that they open up integrations to the broader ecosystem. | | On the face of it, it's really weird to require passes to be | signed: I can always just store a PNG or PDF showing the same | bar code in my photo library or files app and present that. | Imagine iOS only displaying signed PDFs! | nash wrote: | So.. I just added my card to Stocard and used it a King County. | Took 2 minutes, on my phone, synced across devices. | | Or yeah, you could do it that way I guess. | gumby wrote: | This eliminates the need for multiple wallets. Plus it's a fun | hack. | | Stocard addresses a different point in the design space. | yftsui wrote: | If you are using an app for it, King County Library app already | has the barcode anyway... | k8svet wrote: | Oooh, now do Orca cards next. Seattle is one of the tech capitals | of the United States, and on top of the metro system just being | not great, it's also technically inferior to nearly every single | other major city that I've used public transit. Pick any European | city, CDMX, Denver. They're all light years ahead of Seattle. | Denver might have been my favorite. | | Fun fact, one of the orgs that runs Orca actually wrote a blog | post mentioning they were adding NFC support to their Android app | (with some absurdly long timeline). That post is no longer to be | found, and of course, years later, that functionality is absent. | organsnyder wrote: | My local transit system just added tap-to-pay that works with | any credit card (or Apple/Google Pay etc.). As long as you use | the same card it handles transfers, multi-day passes, etc. | seamlessly as well--it will automatically ensure you're getting | the correct rate (e.g. no charge for passes or rides after a | certain number within a certain period). | snazz wrote: | This is how it works in London and I think New York as well | now. Big upgrade over loading money on a card. | fotta wrote: | Clipper-accepting agencies in the SF Bay Area will have | this next summer too. | monksy wrote: | This system really sucks because you can't just slide your | wallet over the reader. It'll pick up your cc before your | transit pass. | | The move to do tap based transit with cc s is pretty stupid | as that cc s get replace far more frequently than transit | cards. The only person this really benefits is new users to | the system that haven't figured out how to get a transit card | yet. | skykooler wrote: | This sort of system is really nice for visitors, tourists | etc., though. | ghaff wrote: | For a city you don't visit often--especially if you're | going to a bunch of cities on the trip--dealing with | transit apps/cards/etc. that are specific to the city is | a royal pain. I'm fine if it's a city I visit regularly-- | I have an Oyster card for London that I've had for a | number of years. In general, though, I'd rather default | to using a credit card. | gumby wrote: | Transit card is simply another thing to haul out, manage | etc. What advantage does it have over a cc? | | Also with it baked into your card you don't have to pull | anything out since your phone is almost always at hand. | LeafItAlone wrote: | > as that cc s get replace far more frequently than transit | cards. The only person this really benefits is new users to | the system that haven't figured out how to get a transit | card yet. | | I respectfully disagree. I've lost more transit cards than | credit cards. And since the tap-to-pay on credit card also | works with Apple Pay and Apple has the ability to choose | which card to apply transit charges to, it gets the same | one every time. I have found the new system to be | preferred. Plus, if every system implemented this, it makes | it easier to travel and not worry about loading up a | transit card that then loses its value (I have a few in my | drawers from cities I've visited once). | lxgr wrote: | > The only person this really benefits is new users to the | system that haven't figured out how to get a transit card | yet. | | In many transit systems, that's millions of people per | year: Tourists, occasional riders that would just forget | the pass at home if they're not using it regularly etc. | | > This system really sucks because you can't just slide | your wallet over the reader. It'll pick up your cc before | your transit pass. | | There's theoretically ways to preferentially pick a given | type of card, but it's quite hard and unreliable to | implement, so I guess that rather than promising something | they can't reliably deliver (and slowing things down in the | process), transit systems just pick the first card. | | It is slightly inconvenient for transit-pass-only users, | but I do also see the huge benefits for the transit system | and its users in aggregate. | vermilingua wrote: | My only gripe with this mode (with Opal in Sydney) is that | you don't get the trip fare displayed on the gate when you | pay with a payment card. I imagine this is a technical | limitation (Opal stores trip detais on-card, which it can't | do with a payment card), and is a low priority anyway (as you | don't need to know when to top up a payment card) but would | be nice to have. | Kye wrote: | I wonder how much it costs to maintain a system to collect | fares compared the small portion of funding most transit | systems would lose from going fare free. | piperswe wrote: | Going fare free would induce demand which would increase | operating costs, so it's not that simple. | Analemma_ wrote: | The other thing about going fare-free-- which people don't | like to discuss but it is a real effect which has been | measured-- is that it causes much more anti-social behavior | on the bus, which decreases ridership among people who have | only a slight preference for transit versus just driving | their car. This not only makes traffic worse (which kinda | defeats the whole purpose), it also tanks political support | for transit, since fewer voters are using it and then they | see no point in supporting it. | Kye wrote: | Can you point to where you found this measurement? This | is the first I've heard of it. | dmoy wrote: | I first heard of it from the transit union here in | Seattle when they axed the downtown free bus zone like 10 | years ago. There was some vague mention of the bus | drivers in ... somewhere in Texas... like 30 years before | that. | | Beyond that I haven't heard much of it because as I | understand it, there isn't much free transit anywhere | big. | fyrn_ wrote: | Citation needed for that causes anti social behavior | claim! | bobthepanda wrote: | Depending on the agency it's not very small. | | New York MTA has a farebox recovery of about 40-50% in any | given year, and few people or organizations could stomach a | pay cut of half without serious damage. | _huayra_ wrote: | Google Wallet will soon support this (from a few days ago): | https://blog.google/products/google-pay/commute-around-the-w... | | edit: linking to Google's blog directly | gattilorenz wrote: | Related: isn't there a way to "clone" an NFC card using | (rooted) Android? | | I have been looking into how feasible it could be doing so on | iOS since my office door opens via an NFC card, but iirc Apple | has a tighter grip on the NFC hardware than with general | PassKit, meaning that a regular app can't do that. | jackson1442 wrote: | Kinda. NFC is a broad spectrum of protocols. For example the | old blue Orca cards are MiFare DESFire cards which actually | store the card's value in the card's internal chip- this type | (while having some flaws) cannot easily be copied onto a | phone. | | A simple NFC tag with binary data is trivial to copy though. | lxgr wrote: | Only very old systems, or those where the cost of the tag has | to be as low as possible (e.g. for single-ride throwaway | paper tickets), use unauthenticated bearer tokens. | | Access control systems these days usually do not, for obvious | reasons. | konaraddi wrote: | https://info.myorca.com/news/can-i-use-my-phone-to-pay-for-a... | | Tap to pay coming to orca in 2023, they've got ~2 months left | for it to be true | | I'm optimistic because google recently put out a post that | google wallet will support ORCA soon (as shared by another | commenter) | fyrn_ wrote: | https://info.myorca.com/news/can-i-use-my-phone-to-pay-for-a... | | The post still exists, but no updates since then | besthknow wrote: | Best transit card I have used has been in HK. The value on the | card can be used in small shops around the city up to $150 | dollars. | js2 wrote: | So wait: you don't want to pay Apple $99 and you don't want to | pay for one of the apps that generates a pass for you, but you'll | extract the cert from one of those apps thereby piggybacking on | another developer's $99 payment to Apple. | | That's uncool. | | On a slightly related note: a site I login to regularly uses | Semantic VIP Access for 2FA. You can convert these to standard | TOTP codes so that you can load them into the Apple Keychain or | whatever other TOTP program you prefer: | | https://github.com/dlenski/python-vipaccess | circuit10 wrote: | I think if you are locked out from doing what you want on your | phone that you bought through arbitrary software locks then you | should have the right to bypass that. This isn't costing the | app developer anything, nor were they even using the app to | generate the pass, so I don't really see any issue here | js2 wrote: | It's taking advantage of another developer's $99 payment. I | just took a look at one of these apps and the in-app purchase | to remove ads is $1.99. I think if I did this I'd throw that | developer the 2 bucks. | | Sort of like when you bum a ride from someone, even though | it's not costing them anything, it's good form to offer to | split the cost of gasoline. | circuit10 wrote: | It would be nice to do that but I don't think this is some | horribly immoral thing either | saagarjha wrote: | Look I'll generate and give you a certificate for free if | you want one. | js2 wrote: | I'd pay Apple $99 before I asked another developer to do | that for me, probably putting their agreement with Apple | at risk. | | Taking a principled stance against Apple is fine. I'm | totally onboard with that. I only think it's uncool to | take that stance and then use another developer's cert | without their permission. Even though it's unlikely, it | can only harm that other developer. | | Based on all the downvotes HN seems to disagree, but I | don't see what's so unreasonable about my position. | tzs wrote: | > But having the barcode is far more convenient, and I'd like to | have it without having to keep yet another plastic card I rarely | use in my wallet. | | > So I put it on my phone, in my iPhone's Wallet app | | Another option would be to literally put the barcode _on_ the | phone. | | Print it on a small piece of paper, about 15mm wide, and tape it | to the back of the phone with some transparent tape. | js2 wrote: | Or take a picture of card and store it in a note. I do this for | things like my insurance cards, driver license, etc. | dkurth wrote: | I solved this problem by taking a photograph of my library card. | To check out a book, I load the picture and hold it up to the | scanner. | wandermatt wrote: | I added an image of my barcode to a location based reminder, so | it pops up in a notification when I go to my local library. | clintfred wrote: | That's amazing. Truly. I'm assuming you're on iPhone. Anyone | know if there is a way to do this in Android? | gattilorenz wrote: | If you use Google Keep for the note, it's easy to do | mksybr wrote: | https://tasks.org/docs/location/ | throwaway742 wrote: | Tasker | tantalor wrote: | https://support.google.com/keep/answer/3187168 | | > You can set reminders to go off at a certain time or | place | yumraj wrote: | How do you do that, on iOS? | iLoveOncall wrote: | Check the official Shortcuts app. | wenc wrote: | This is a brilliant and simple solution. If it's a static | barcode, a photo is all that is needed. | | There's little advantage to having it in the wallet. | | I store all my IDs in a Photo Album on my phone. | x0ul wrote: | This is a great hack to get custom passes/codes into the wallet, | and I'm glad the author wrote it up. I may end up doing this | myself. That shell script to generate a bmp was wild. | dividuum wrote: | Pass4wallet is a nice app for that, if you're ok with your pass | data being (according to their privacy policy) sent to their | server, signed and then deleted. | jeffgreco wrote: | I did this just last week with my Chicago Public Library card | and Pass4wallet and it's great, even though CPL scanners still | can't scan screen codes. | smithza wrote: | I came here looking for this. The write-up is interesting for a | deep dive in Apple interfacing... obviously though is too | involved for a simple library card. Thanks. | desro wrote: | This is a really great write up, very clear and easy to follow. | Was very impressed at your pure bash barcode generator. I'm eager | to try this out on my own library card! | inasio wrote: | I expected something more like squeezing the cards with NIF | lasers (and alchemy) into diamond lattices encoding the | information and then hacking it alongside phone storage | gumby wrote: | Wasn't that already posted on HN a couple of weeks ago? :-) | somat wrote: | Only slightly related but my preferred way to generate barcodes | is the barcode writer in pure postcsript. | | https://bwipp.terryburton.co.uk/ | x0ul wrote: | Thanks for posting, I've never seen this before and it's | absolutely fantastic | teddyh wrote: | I use GNU Barcode: <https://www.gnu.org/software/barcode/> | mherdeg wrote: | Gosh. I just emailed myself a .png of the barcode containing my | library card number and open it in, like, the Photos or Gmail app | when I'm at the kiosk. | phyzome wrote: | They _did_ specify that this was the hard way. :-) | electrondood wrote: | This is indeed the hard way. | | I just used Stocard to scan my library card barcodes. Done. | cglong wrote: | This was a great blogpost, but then ends with: | | > I will note that I have not yet tested this pass in a real | library yet | | I get this project was mostly for fun, but why not spend the 10 | minutes it takes to test the final solution before sharing your | work? | skykooler wrote: | Library might not be open on a Saturday? | MollyRealized wrote: | Yes, that kind of ruined the entire article for me. "I have | this great scientific theory about oxygen loss during running. | I will admit, I have not actually started jogging yet, but ... | " | lxgr wrote: | I mean, it's ultimately a bunch of pixels representing a | barcode to be scanned. As long as it displays correctly, what | could go wrong? | Ayesh wrote: | Those cheap laser "1D" bar code scanners cannot read off a screen | (except maybe eInk). It sucks because the supermarkets I frequent | have their loyalty cards based off barcodes. Fortunately, barcode | readers emulate keyboards so you can just type the code on a | keyboard. | samtho wrote: | I made a cheap barcode display-er with a Bluetooth MCU and an | E-ink display, that works for all 1D only barcode scanners. | lxgr wrote: | That's really neat! Real-life Doctor Who psychic paper, | basically :) | lxgr wrote: | As far as I understand, that's because older systems don't use | a digital image sensor to scan these, but rather a rotating | laser beam and a simple photo diode registering the variations | in brightness caused by varying reflections of the laser beam | by the white and black parts of the barcode. | | A camera-based scanner doesn't care where the illumination of | the barcode is coming from (i.e. ambient light, its own LED | illuminating a piece of paper, or an active backlit screen); | that laser-based system is purely based on its own reflected | light, though, and won't work with actively backlit screens at | all. (I wonder if it works with e-ink or passive LCD displays!) | karaterobot wrote: | > Our local libraries, The Seattle Public Library and the King | County Library System, issue pieces of plastic with barcodes | printed on the back assigned to your borrower account. | | I just memorized my account number for KCLS. It should take maybe | 30 seconds to commit it to memory--though your mileage may vary, | I have to believe it's faster than this. After that, you just | type in the account number instead of scanning the bar code, and | probably do it in less time than it takes to get your phone | ready. I don't know if SPL works the same way, as I'm not in | Seattle. | wging wrote: | If you don't feel like memorizing it, you could also store it | on your phone in your password manager of choice. | folmar wrote: | Do it the 1990s way, just add it to the phone book. | Scoundreller wrote: | Used to do that for alarm codes for different locations I | worked at and the last 4 numbers would be the code. | | Mr John Springfield - xxx-xxx-1234 | | Mr John Madison - xxx-xxx-5309 | | Etc etc | rhplus wrote: | Stocard app worked for me. Simple and has an Apple Watch app to | boot. | | https://stocardapp.com/ | nehal3m wrote: | Yup, I use this too for all my loyalty cards. Works a treat, | also brightens the display when you have a barcode up. | samtho wrote: | I really love barcodes and barcode symbology for reasons I cannot | fully explain. I even wore the npm module named 'barcode' which I | desperately need to update. | | Fun fact about codabar, it is among the only barcode symbologies | that can be implemented completely as a plain font. | tonyedgecombe wrote: | 2 of 5 can be as well (but not the interleaved version). | lxgr wrote: | Interesting, why is that? Due to character boundaries and | encoded-character-as-symbol boundaries not overlapping for the | other codes? | | And do you know if that was a conscious design choice? | underseacables wrote: | My library card and a lot of other barcoded cards that I use are | stored in an app called Key Ring. It works really well. | ajot wrote: | For anyone wanting to do something like this on an Android phone, | there is Catima (on Google Play and FDroid), which supports many | types of barcodes. | | https://catima.app/ ___________________________________________________________________ (page generated 2023-10-28 23:00 UTC)