51 comments

[ 3.9 ms ] story [ 38.2 ms ] thread
"if we build that feature, we'd have to own it."

"You're right, keep it on the 2028 roadmap"

That would be my experience in tech at least.

"and very good reasons for not implementing Apple Wallet"

Judging by the screenshots, it looks like a thin wrapper around a mobile-optimized web site, or at best something like Flutter, so the likelihood that they have in-house developers that are sufficiently versed in the dustier corners of Apple's APIs is slim.

This is it. It's a well-established gym chain, their core business is getting subscriptions and making it hard to unsubscribe - not development. If you're lucky, they have a couple of in-house web developers working on website and database maintenance, who then ask a contractor to just "make it run like an app". If you're unlucky, they outsource all their web operations to a contractor that milks them every time they want to change a title from H2 to H3.
I’ve always used the physical PIN code to get in because I just instinctively don’t trust the app to load reliably; never felt so validated
Did I interpret correctly that this sends a push notification every minute telling your phone to download a new code? If so, that seems like a battery problem…
on security theater: the morons running my garbage company demand not just a email + pass but also security questions in order to login and... pay your bill. That's the functionality available.

Example security question: favorite book. Which is, naturally, case sensitive.

Someone wrote this to prevent people from stealing my password and paying my bill.

There has been a spate of Russian hackers recently paying other people's garbage bills, it's becoming an epidemic. The company is right to want to curtail it by asking you for your favourite books, which is the hobbit, not the Hobbit
My supermarket requires email 2Fa for grocery delivery and enforces it on basically every login. It means whenever my wife or I are doing the shopping we have to have the account owner there to get the secondary code.

I keep meaning to auto forward all emails from then to me….

I bet the password expires every 6 months too
this reads like chatgpt dribble
Ah yes, because we all know that ChatGPT is capable of writing coherent texts with consistent humour and details on a technical topic.
I was thinking the same thing - Went back and re-read it though, and I think it’s more that the author wrote a first draft and then had AI to help spice some stuff up. He either:

1. Used AI to help and doesn’t care if it sounds a little AI generated / actually likes it 2. Didn’t use AI but reads enough AI slop that his writing style is directly influenced by it (scary) 3. Used AI but doesn’t use AI enough to immediately recognize when language sounds like it was generated by ChatGPT and didn’t bother correcting (this is my guess)

There’s a few times I got tripped up because it went from pretty human writing to “holy shit shit that’s ChatGPT I’m going to stop reading,” yet the author would save it with human writing right after.

This is kind of a ramble, but it actually was one of those pieces of writing that I felt was genuine and improved by some of the ChatGPT language rather than just clickbait garbage - I could tell the author was just trying to make it worthwhile and interesting to read, and I honestly really enjoyed it.

This is a great post, it captures the true essence of an engineer. It is funny, intriguing, and inspirational. Congrats! You are a hacker at heart.

When I went to the US for 3 months I joined PureGym and they gave me a PIN number. I cancelled my membership after that, and one day Chrome told me my PureGym PIN had been compromised. 2 years later, I went to the US again, rejoined, and received the same PIN. Massive red flag.

I was also intrigued by the app, the token and PIN, and remember finding a security flaw in the system that activates the hydro massage chairs. It accepts your PIN or any PIN, with no security at all.

I've received the same PIN from an entirely different gym chain, albeit one using the same door system.

As you say, a massive red flag indicating it's not using a lot of sources of entropy.

PureGym is located where in the US? I can’t find any locations just in the UK

    POST https://auth.puregym.com/connect/token
    grant_type=password&username={EMAIL}&password={PIN}&scope=pgcapi offline_access
    Authorization: Basic cm8uY2xpZW50Og==
Looks like it could be feasible to brute force some PINs using this API. Assuming it's not rate-limited, an average of 50,000,000 API calls isn't that many.

    > The crown jewel? Your 8-digit gym door PIN is your API password and you most likely didn't set it yourself. 
I hope there's a rate-limit on failed attempts.

Because if you know someone's email address, it sounds like you get API access fairly quickly after that?

Also I trust that the scopes that you can ask for are limited appropriately?

I think the even better crown jewel here is that the code is predictable, with no lock-out facility at the gym door for wrong attempts. The format is (or was when I signed up) something in the format

>[minute of the hour you created the account][random number, 2 digit][day (or maybe month) of birth][year of birth]

So <59341295> is the code for a user who signed up at :59 past the hour, and their birthday is December 1995.

If you know someone’s birth month, you can just scan through ~6000 possible codes in a for loop to get their access code. At my gym, the PT coaches would celebrate their clients birthdays loudly,

I’d not be surprised if the random number component was just an integer that increases with each sign up at a gym.

> A Pass Type ID certificate from Apple Developer Portal

How much does this cost? I'd love to create Apple Wallet passes for things, but I'm weary of setting up a Apple Developer account and paying even more fees for just this.

The Pass Type ID certificate requires an Apple Developer Program membership which costs $99/year, but there are no additional fees specifically for Wallet pass functionality.
This is obnoxious given PKPass is an open standard. Third party apps can use them without any requirement to be verified by some authority, but Apple just has to maintain some sort of control.
I can't believe this criminal that is writing this. Won't people think of the poor data brokers that are sucking down data from this forced app about who he is, what his device profile is, where is location is etc?
Wallet is spelled incorrectly under subheading “The Swift backend nobody asked for”
> Think about this for a second. The physical keypad -- exposed to British weather, coated in a mysterious film of protein shake and regret, probably being livestreamed to TikTok by someone's ring doorbell -- accepts my ancient PIN without question. But the digital QR code needs cryptographic rotation that would make the NSA jealous.

Great writing!

Does this post read like an LLM wrote it to anyone else? Not a big deal if it does but it feels like it’s trying too hard.
It took years for people to accept that some photos had filters applied, enhancing them to look as good as professional shots. The same will happen with text.

This is a great blog post, whether it's editorialised or not.

I have no idea if this was written by AI, and frankly I don't care. I really enjoyed reading and appreciated the humour.

I'm curious to see how easy this would be on Android and to have an auto updating QR code widget on my home screen.

Love the writing style, good fun but full of interesting technical detail too
I love reading about this sort of thing. My personal solution to the issues with the app and the wait for it to work (if it worked) was to memorize the pin. I believe I'm still quicker getting in than even the OPs solution, and with less hassle too since I don't need a device or any services.
My favourite inexplicable feature of the PureGym app on iOS is that when you open it, it stops any audio you are listening to. In the same way as if you have opened another audio app. Yet it isn’t playing any sound. Crazy
Great article, I went through something similar with TrainMore in The Netherlands, where they replaced an NFC key fob with a similarly refreshing QR code (but this one rotates every 30 seconds)

In my case, I didn't make a native app because I don't use the wallet integration.

I wrote about it here: https://blog.davidv.dev/posts/trainmore-re/

lol counting the amount of “time saved” to justify the amount of time u spent building the thing is relatable but also slightly cancerous if it takes over your mindset in the building or brainstorming process. (which unless it’s a jokey bit that has no core of truth it might very well do.)

I used to do it too and in my mind I still do out of habit but I try not to let it influence projects anymore, what else will I do with my time + doing stuff like this keeps ur skills up to date.

> My first approach was embarrassingly naive. "I'll just screenshot the QR code and add it to Apple Wallet as a static image!"

> Reader, I actually did this.

How? I’m very interested in that part.

I remember wanting it because (despite it being possible) services don’t usually allow you to add Wallet passes when you buy from the web, instead requiring you to install their app (which I do not want). But I can already see myself using this for services which don’t even provide Wallet passes.

From the author’s wording, it seems there’s a way to add such screenshots without using a third-party app.

Wasn't expecting to see someone posting about my gym on HN this morning!
Great article. Me personally, I just learned my PIN...
It could be interesting to understand the actual content of the qrcode. part1 is a static id, so likely linked to the membership.

part2 seems to be a timestamp. Maybe we can try to forge the value to "now - 10 seconds".

And if the implementation has been done right, the "part3" should be a signature of part1 and part2, not a "salt" (so forging part2 should be detected and code rejected).

The real travesty here is how bad the official app is. For example, the Planet Fitness app takes 7 seconds to go from closed to showing a QR code.