When I went to the US for 3 months I joined PureGym and they gave me a PIN number. I cancelled my membership after that, and one day Chrome told me my PureGym PIN had been compromised. 2 years later, I went to the US again, rejoined, and received the same PIN. Massive red flag.
I was also intrigued by the app, the token and PIN, and remember finding a security flaw in the system that activates the hydro massage chairs. It accepts your PIN or any PIN, with no security at all.
This is likely a false positive, if chrome is using haveibeenpwned API.
e.g. A pin of 87623103
Hashes to 558B4C37F6E3FF9A5E1115C66CEF0703E3F2ADEE
We get the range from HaveIBeenPwned:
https://api.pwnedpasswords.com/range/558B4
And search for C37F6E3FF9A5E1115C66CEF0703E3F2ADEE
And see it's "Compromised" and seen 3 times before.
To get an example that was already in the haveibeenpwned dataset, I wrote a quick script:
var httpClient = new System.Net.Http.HttpClient();
httpClient.BaseAddress = new Uri("https://api.pwnedpasswords.com/");
while (true)
{
var password = string.Join("", Enumerable.Range(0, 8).Select(e => Random.Shared.Next(0, 10)));
var hash = Convert.ToHexString(System.Security.Cryptography.SHA1.HashData(Encoding.UTF8.GetBytes(password)));
var passwordRange = await httpClient.GetAsync($"range/{hash.Substring(0, 5)}");
passwordRange.EnsureSuccessStatusCode();
var allhashes = await passwordRange.Content.ReadAsStringAsync();
var splitHashes = allhashes.Split(Environment.NewLine);
var compromised = splitHashes.SingleOrDefault(h => h.StartsWith(hash.Substring(5)));
if (compromised != null)
{
Console.WriteLine($"Password {password} Compromised! Found {compromised.Split(':')[1]} time(s)");
Console.WriteLine($"Hash: {hash}");
return;
}
await System.Threading.Tasks.Task.Delay(1_000);
}
Sure they have been, I can send you a text file with all of them. It's 850MB, but i expect it compresses very well.
Of course there's no world in which they're actually a secure password, which is why it's kind of insane to treat them as one.
That's a truncated 9 digit pin of a unix timestamp.
As you say, a massive red flag indicating it's not using a lot of sources of entropy.
I honestly don’t know
1. They will have added code that declares the app requires an exclusive audio context. So iOS pauses all other audio when the app is foregrounded.
Or
2. It’s possible that they use anti screenshot technology which sometimes involves embedding a secure video in place of an image. The video playback might be grabbing the audio context.
My bank app forwards me to the settings every time I try to send a bank wire because I never allowed access to contacts.
I have to keep pressing Play on my airpods. If I’m not using airpods it can be impossible to resume my own audio with the app open.
Great writing!
This is a great blog post, whether it's editorialised or not.
Judging by the screenshots, it looks like a thin wrapper around a mobile-optimized web site, or at best something like Flutter, so the likelihood that they have in-house developers that are sufficiently versed in the dustier corners of Apple's APIs is slim.
But yeah, we cared deeply about the UX/UI, but these things are built by committee and the committee is pretty dumb, very political, and non-technical.
Your story makes it sound like somehow the meeting was "let's add notifications, but for what?" and landed on that, which is exactly the type of thing that will lead to massively annoying people. If they don't have an obvious customer need for notifications (clearly they don't), why have them?
Who "they"? The vast majority of companies don't have a staff of programmers. These apps are outsourced to cheap consultancies.
The UX of that app is actually "ok". While it is a wrapper around their mobile site it works well enough.
It’s probably developed by one or two people, likely not full time, who spend most of their time on it implementing whatever the next special promotion needs, not stuff users want.
Because that’s what they’re told to do with the little time allocated to it.
I have a really rubbish signal (I live in the sticks in the North West). There was almost no reception on near the gym. It never took 30 seconds. Generally scanning the QR code itself wouldn't get recognised by the scanner. I just ended up using the 8 digit code. This was using the iPhone app.
I ended up cancelling because quite honestly I prefer walking and cycling. But I was using them until earlier this year.
Considering Pure Gym is cheap, has reasonably decent equipment and is kept clean (at least where I am). The app being a bit shit sometimes is like a whatever problem IMO.
I can just memorise the 8 digit entry code and never ever open the app.
The budget required to improve the customer experience is near nothing, but I suspect no one at PureGym has actually evaluated that the experience is really not great, they probably don’t have the experience or expertise to do so.
The core business of automobile companies is not software, but they're being kicked down by software companies.
You're not a software company until a software company shuts you down.
In my case, I didn't make a native app because I don't use the wallet integration.
I wrote about it here: https://blog.davidv.dev/posts/trainmore-re/
It's not clear to me why sharing an app that puts the qr code in Apple wallet would violate copyright law. This wouldn't require redistributing the app or any of its copyrighted contents. Maybe "unauthorized" use of the API is against TOS, but that's not illegal.
PureGym's T&Cs [1] have a ridiculously long "PIN abuse policy" (probably meant to stop people sharing with mates). They can cancel memberships or even retroactively charge for gym use if you "knowingly provided your PIN to another individual."
I'm not a lawyer and don't fancy being the test case for whether entering your PIN on a third-party website/app counts as "knowingly providing" it. Given how their app works, I suspect they might just ban a bunch of accounts instead.
Though now that I think about it, the squat racks are always packed, so maybe I should just distribute the app to people who go at the same time as me.
I guess I'm assuming that you would design the iOS app to collect and store the PIN number on the device, and never ever share it, since (if I read the post correctly) that's all you'd need to get to basic auth. I take your point that that might still be considered "sharing with a third party" but honestly I suspect that (a) they wouldn't notice for a long long time and (b) they would typically start by sending a c&d, not hiring a team top-notch lawyers and going straight to court unless you're really wealthy and there's some prize to be had for all of those legal fees.
i.e. just because it's POSSIBLE to do something doesn't mean it's okay to do it.
You're example fails.
"You're right, keep it on the 2028 roadmap"
That would be my experience in tech at least.
"Does it earns us money? Because doing it does _cost_ us"
It's really that simple (and the to do/wishlist is actually long).
The best thing PureGym could do now? Pay the guy couple of grands for the app AND give him lifetime membership.
> The crown jewel? Your 8-digit gym door PIN is your API password and you most likely didn't set it yourself.
Because if you know someone's email address, it sounds like you get API access fairly quickly after that?
Also I trust that the scopes that you can ask for are limited appropriately?
>[minute of the hour you created the account][random number, 2 digit][day (or maybe month) of birth][year of birth]
So <59341295> is the code for a user who signed up at :59 past the hour, and their birthday is December 1995.
If you know someone’s birth month, you can just scan through ~6000 possible codes in a for loop to get their access code. At my gym, the PT coaches would celebrate their clients birthdays loudly,
I’d not be surprised if the random number component was just an integer that increases with each sign up at a gym.
> it sounds like you get API access fairly quickly after that?
Yes, that's correct; I am yet to hit the rate-limit but from my experience with the official app/website, it's quite forgiving to failed attempts.
The scope in the post is the one used by the app and other unofficial clients on GitHub [1][2], so I doubt there are more options beyond that.
-- [1] https://github.com/0wain/puregym-api-php-wrapper/blob/main/s... [2] https://github.com/2t6h/puregym-attendance/blob/main/puregym...
Out of curiosity to the OP, did you use an AI to tweak/refine the text? It contains a lot of similar writing patterns as some read-aloud 4chan greentext/copypaste YouTube channels, especially liberal use of whimsical similes: "like it's 2000 and I'm downloading a JPEG on dial-up" "starting to feel like cosmic punishment" "like it's protecting nuclear launch codes", and jocular asides: " -- exposed to British weather, coated in a mysterious film of protein shake and regret, probably being livestreamed to TikTok by someone's ring doorbell -- ".
So I started to wonder if my AI-radar was spot on, or is that style of writing something people naturally do – because I wouldn't bother, but then again, I don't run a blog that people actually read.
* Written more formally than the typical HN comment
* Uses uncommon language like "jocular asides" and "whimsical similes"
* Fails to recognize that those mentioned phrases are cliches that people have been using for ages, long before LLMs
In short, recalibrate your AI radar, it's malfunctioning.
Example security question: favorite book. Which is, naturally, case sensitive.
Someone wrote this to prevent people from stealing my password and paying my bill.
Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
But this is demonstrably the case today... I don't think I've gone a week without hearing about some major data-breach.
...my own org got h4x0red a few months ago: our CEO didn't have 2FA enabled on his God-tier global-admin-rights OIDC/SSO login and somehow, someone found our internal login page, had a snoop around, found our Twilio account keys and sold them off to some spammer who then sent spam texts to our customers (fortunately our (immutable) access logs showed there was no further intrusion, but it was still an incredibly unsettling experience considering how uninteresting and un-sexy my SaaS day-job is).
...so if it can happen to me, a random fellow HN troglodyte, then it can happen to you; or the hospital down the street from my old office[1].
In conclusion: we're doomed.
[1] https://therecord.media/seattle-fred-hutch-cancer-center-ran...
A gym requiring an app would be a hard no from me. I don't know why anyone (especially technical) would put up with that.
Answer from someone that has to put up with that: other gyms are significantly harder to get to (distance) and it’s already hard enough to get motivated to go. My options are shitty app or no gym.
Not everything is technically perfect and sometimes your only option is to put up with the stupidity of other developers/product managers.
It's pathetic. There should be regulation that prevents overly onerous "security" controls on users accounts.
thank goodness they do this, because I use the same email + password with my garbage as with my bitcoin wallet, my brokerage account and my online mistress finder app.;
More details here: https://hightouch.com/blog/what-is-identity-resolution
I keep meaning to auto forward all emails from then to me….
Then yeah, it lowers engagement with the app, which is probably tied to someone’s bonus.
If you use online validation you can even dynamically rotate them whenever it suits you - either to adjust server load, or as some kind of "every Nth check-in" scheme. Heck, with online validation it doesn't even matter if the rotation service goes offline for a while!
Or just generate a fixed QR code which never changes. You know, like the 8-digit pin the QR code is the alternative for.
...or if they do have an attendant there, why can't they let you in with a friendly greeting like they used to in some imagined past?
I've seen people on PureGym's Twitter successfully refreshing screenshots weekly though, and the API response suggests the same.
That being said, I couldn't find a validation endpoint to check if mine got invalidated by something specific (maybe signing out?) or if there's some other magic happening.
My gym has a similar system but I realised it's time based and the app functions without Internet. I installed the app onto an old android with no sim, logged in at home over WiFi and it successfully regenerated QRs without data
Higher priority push notifications require a user visible UI element and ca be delivered regardless of certain low power situations.
The QR code for a pass sure sounds like a priority user visible UI element.
> Reader, I actually did this.
How? I’m very interested in that part.
I remember wanting it because (despite it being possible) services don’t usually allow you to add Wallet passes when you buy from the web, instead requiring you to install their app (which I do not want). But I can already see myself using this for services which don’t even provide Wallet passes.
From the author’s wording, it seems there’s a way to add such screenshots without using a third-party app.
https://apps.apple.com/us/app/pass4wallet-store-cards/id1423...
Yes, that’s what the article is about, I read it all. But the author also mentioned the screenshot approach before using Passkit and called it the naive approach, so it’s likely they did something considerably simpler.
Feels like I’m on the worst parts of Stack Overflow and Reddit. I know other options exist, I’m asking about one specific approach. It is OK to not reply or say “I don’t know how to do it like that”. That’s fine, I don’t know either and I’m not embarrassed by that, that’s why I’m asking. I want to learn a new trick.
I guess I didn't realize it was that simple a question.
The "how" there is "take a screenshot of the first-party app". In many cases (especially with physical barcodes like a loyalty card you can just photograph), that's all you need; just keep it in your photo roll. It didn't work in this case because the QR codes contain some sort of signature or expiration date that prevents a screenshot from last week from working this week.
If it has to be in wallet, https://developer.apple.com/documentation/passkit/pkpasstype....
This is like if I asked “how do I boil an egg” and you had answered “you can boil an egg yourself”. Yes, I know that. That’s obvious but also unhelpful. The correct (short) answer would’ve been “bring water to a boil on the stove, lower an egg into it, wait around 10 minutes, turn it off and place the egg in cold water for an easier peel”. Or “here’s a link with instructions: <URL>”.
It's simple, there are lots of libraries that can generate it. You can probably even ask Claude Code or something like that to generate you one.
I understood your question as: can I do this myself or do I need an app and the answer is that you can do it yourself. The documentation for it is easily Googleable.
What you need is a signing key so you will need to pay the apple tax.
How much does this cost? I'd love to create Apple Wallet passes for things, but I'm weary of setting up a Apple Developer account and paying even more fees for just this.
part2 seems to be a timestamp. Maybe we can try to forge the value to "now - 10 seconds".
And if the implementation has been done right, the "part3" should be a signature of part1 and part2, not a "salt" (so forging part2 should be detected and code rejected).
Developer frustrated with missing functionality / UI problems / etc / and solves it. So awesome!
The only downside is that they hold all the keys to the kingdom, so either they (or someone inside the org with political weight) will be pissed off straight out of the gate, or you’ll always be walking on eggshells trying your best to not piss them off.
I 'got around' the PIN/QR Madness after 1 week by getting key fob. Now I don't have to ever open the app...
Attendance API looks to be worth playing with! Nice Bonus.
> Should I package this up properly? Probably not: it's a proof of concept that solves my specific problem. Plus, PureGym would probably just hire me to shut it down, and I'm not ready for that level of corporate responsibility.
Don’t take a job if they offer one to you then?
> SaaS Dreams: Package this properly, get sued immediately, become a cautionary tale at product management conferences.
I genuinely don’t think that this is how it would go down, unless you’re marketing it as an official product. As a consumer I’m allowed to buy things that I find useful, and if this was packaged as a third-party convenience for personal use I don’t see the issue.
I suppose that if the company even noticed (very unlikely) they could get pissy but then I’d expect a c&d to arrive not some multi-million dollar lawsuit. Caving in at this point is an option.
Honestly I think getting past app review and into the App Store would be the hard part.
What’s Next: Shame Notifications: "You were literally 100 meters from the gym and walked past it"
As much as I hate to admit it, that would probably work on me and I’d probably turn it on.
I used to do it too and in my mind I still do out of habit but I try not to let it influence projects anymore, what else will I do with my time + doing stuff like this keeps ur skills up to date.
Not only have you learned new skills and got better at the craft, but you also removed a frequent source of frustration and get satisfaction every time your system works and you remember “heck yeah, I did this”. It increases your happiness and well-being overall into the future and keeps on giving.
I'm curious to see how easy this would be on Android and to have an auto updating QR code widget on my home screen.
Things like em-dashes are a really bad way to detect AI because they can be good grammar and improve text readability, same with curly quotes. I use them all the time in my writing, and I wouldn't be surprised if this iOS dev feels similarly as Apple platforms have emphasised this stuff for years.
As an academic I’ve always used “delve”, too, so at this point I guess my writing is going to be flagged as AI a lot…
I do note that some of the AI slop I’ve received from students include other fancy Unicode characters (superscript numerals, variant Greek letters, blackboard bold R, etc.) that are difficult to type, and which especially would not be used in e.g. code comments. em-dashes at least can be produced by certain word processors or text IMEs automatically, whereas many of these others require specifically looking for the character.
This is the bit I'd still caution against. Yes AI does this, but also writing in some software will correct 1/2 to ½, writing in tools that support MathJax will give you nice greek letters, etc. At university I spent days setting up nice LaTeX setups so that I could get good looking documents, including documents that didn't immediately appear to be LaTeX authored.
I think it's best to focus on the content, the writing quality, whether it targets the right audience, and whether it answers the question or just features a lot of words in the right ballpark. Focusing on the specific words and mechanical features of the text is going to catch out the wrong students, and it's going to be harder to justify from your perspective because you can't score a student badly for using an esoteric unicode character.
No secret. Just vibes.
Proxyman -- pick your poison.
And if you're from PureGym reading this—let's talk.
"And if you're from [COMPANY] reading this[EM DASH]let's talk" is a classic GPT-ism.
It's like the API is saying "Hey buddy, I know this is odd, but can you poll me every minute? Thanks, love you too."
Shame Notifications: "You were literally 100 meters from the gym and walked past it"
It's just a ZIP archive with delusions of grandeur
I agree with you that em dashes in isolation are not indicative, but the prose here is dripping with GPT-speak.
> There's a mixture of em dashes joining words and double hyphens spaced between words, suggesting the former were missed in a find and replace job.
The em dash conspiracy in the comments today is amazing -- I type double hyphens everywhere, and some apps (e.g a Telegram bot I made for drafts, or the macOS' built-in auto-correct) replace them with em dashes automatically–I never bother to edit those out (ok, now this one I put here on purpose).
> It's just a ZIP archive with delusions of grandeur > Clear examples of LLM fluff that don't "add facts or colour to the story".
Yeah, no that's fair enough, should've known better than to attempt humour on HN.
I've got to say though, pkpass is a ZIP archive, and no ZIP archive should require one to spend 3 hours to sign it.
Edit: total random thought: something in your prose shouted ‘Brit’ to me very quickly. Is it possible that part of this is simply cultural differences in humour and writing, and over-interpretation of subtle differences as evidence of LLM use?
Or do LLMs just write in a subtlety more British style because, well, Shakespeare and Dickens and Keats and Milton? Or does ChatGPT just secretly channel PG Wodehouse?
> Wednesday, 11:15 AM. I'm at the PureGym entrance doing the universal gym app dance. Phone out, one bar of signal that immediately gives up because apparently the building is wrapped in aluminum foil
It says, "Hey I'm a human who goes to the gym and experiences the same frustrations as you do". Now imagine for a second this paragraph was written by AI. The AI has never been to the gym, the AI doesn't feel impatience trying to pass through the turnstile, the AI has never experienced the anxiety of a dodgy internet connection in a large commercial building. The purpose of any humour in this paragraph is completely undermined if you assume it was actually written by AI.
So please don't conflate being anti-LLM with being anti-humour. It's just the opposite. We want humour because we want to feel a connection with our fellow humans and for the same reason we should also want writing that comes from a human, not a machine.
I'm not.
I'm trying to analyse, or hypothesise, why this author's particular writing style seemed to trigger people's nascent LLM warning heuristics.
I considered the humour, because, well, other people brought it up. From the surrounding discussion, it seemed that the jocular writing style was one of the points generating suspicion.
British people do tend to have a fairly humorous indirect way of communicating that can take some getting used to for people from other cultures, but that doesn't mean we're all secretly LLMs
I swear some folks have just been normalised to the shit writing that AI does so much that they look for tricks like punctuation rather than just reading the damn text. Although maybe they're just blatting the whole thing into ChatGPT and asking it to summarise, or determine if it's AI generate.
It has become a trope to call AI writing to any text which includes an em-dash.
> // Device wants updates! Store that push token like it's bitcoin in 2010
...really had me raising my eyebrows. Along with the mixed em-dash and hyphens and the AI generated images on the page.
1. Used AI to help and doesn’t care if it sounds a little AI generated / actually likes it 2. Didn’t use AI but reads enough AI slop that his writing style is directly influenced by it (scary) 3. Used AI but doesn’t use AI enough to immediately recognize when language sounds like it was generated by ChatGPT and didn’t bother correcting (this is my guess)
There’s a few times I got tripped up because it went from pretty human writing to “holy shit shit that’s ChatGPT I’m going to stop reading,” yet the author would save it with human writing right after.
This is kind of a ramble, but it actually was one of those pieces of writing that I felt was genuine and improved by some of the ChatGPT language rather than just clickbait garbage - I could tell the author was just trying to make it worthwhile and interesting to read, and I honestly really enjoyed it.
"The crown jewel? Your 8-digit gym door PIN is your API password and you most likely didn't set it yourself. The same PIN that hasn't changed since the iPhone 8 was cutting-edge technology."
Reads directly from ChatGPT