This is a great post, it captures the true essence of an engineer. It is funny, intriguing, and inspirational. Congrats! You are a hacker at heart.
When I went to the US for 3 months I joined PureGym and they gave me a PIN number. I cancelled my membership after that, and one day Chrome told me my PureGym PIN had been compromised. 2 years later, I went to the US again, rejoined, and received the same PIN. Massive red flag.
I was also intrigued by the app, the token and PIN, and remember finding a security flaw in the system that activates the hydro massage chairs. It accepts your PIN or any PIN, with no security at all.
In case anyone else was wondering, not all 8 digit pins are "compromised", although many are, and of course an 8 digit pin has limited security in any automatable scenario.
To get an example that was already in the haveibeenpwned dataset, I wrote a quick script:
var httpClient = new System.Net.Http.HttpClient();
httpClient.BaseAddress = new Uri("https://api.pwnedpasswords.com/");
while (true)
{
var password = string.Join("", Enumerable.Range(0, 8).Select(e => Random.Shared.Next(0, 10)));
var hash = Convert.ToHexString(System.Security.Cryptography.SHA1.HashData(Encoding.UTF8.GetBytes(password)));
var passwordRange = await httpClient.GetAsync($"range/{hash.Substring(0, 5)}");
passwordRange.EnsureSuccessStatusCode();
var allhashes = await passwordRange.Content.ReadAsStringAsync();
var splitHashes = allhashes.Split(Environment.NewLine);
var compromised = splitHashes.SingleOrDefault(h => h.StartsWith(hash.Substring(5)));
if (compromised != null)
{
Console.WriteLine($"Password {password} Compromised! Found {compromised.Split(':')[1]} time(s)");
Console.WriteLine($"Hash: {hash}");
return;
}
await System.Threading.Tasks.Task.Delay(1_000);
}
The "most compromised" I've seen so far is "17385382", in the DB an astonishing 119 times. It would only take a few hours to iterate through all pins and collect stats for all pins.
I had this constantly the last couple of days. I've been doing some UI mockups in Claude and it includes a password field, and either it puts in a placeholder of like 1234 or I type asdf to test the field. Then as soon as I do anything else Chrome has a fit because "my" password has (obviously) been "pwned."
What worries me the most is that if the ACS can't issue new PINs, there's no way to replace them. If a single PIN is shared or compromised, anyone with it can walk in undetected until the whole system is replaced. And if the entire PIN list is exposed, all hell breaks loose.
My favourite inexplicable feature of the PureGym app on iOS is that when you open it, it stops any audio you are listening to. In the same way as if you have opened another audio app. Yet it isn’t playing any sound. Crazy
1. They will have added code that declares the app requires an exclusive audio context. So iOS pauses all other audio when the app is foregrounded.
Or
2. It’s possible that they use anti screenshot technology which sometimes involves embedding a secure video in place of an image. The video playback might be grabbing the audio context.
I've had this a few times on Android (eg the new Subway app). I'm 99% sure it's the latter but not for security, just a fancy splash screen animation that was implemented as a video without thinking about setting it as "no audio".
> Think about this for a second. The physical keypad -- exposed to British weather, coated in a mysterious film of protein shake and regret, probably being livestreamed to TikTok by someone's ring doorbell -- accepts my ancient PIN without question. But the digital QR code needs cryptographic rotation that would make the NSA jealous.
It took years for people to accept that some photos had filters applied, enhancing them to look as good as professional shots. The same will happen with text.
This is a great blog post, whether it's editorialised or not.
"and very good reasons for not implementing Apple Wallet"
Judging by the screenshots, it looks like a thin wrapper around a mobile-optimized web site, or at best something like Flutter, so the likelihood that they have in-house developers that are sufficiently versed in the dustier corners of Apple's APIs is slim.
So why can’t they learn? We have Google, we have Stack Overflow, we have LLMs. My cynical take is that there’s just nobody there who gives a shit about the UX, most likely the team that built all of their backend stuff is long gone (quit or laid off) and now there’s a skeleton team of the cheapest possible engineers just keeping it running.
I used to work in the fitness industry, and we built apps for some big players (not PureGym, though they were a customer for other parts of our stuff). Anyway, we'd often sit in meetings with them to discuss new features. One time, we discussed adding notifications. They got hung up on this -- there were about 8 different departments -- and they decided to add a notification to ask how clean the gym was... because it was "safe". These people, in general, are terrified of scaring away members by bothering them about anything.
But yeah, we cared deeply about the UX/UI, but these things are built by committee and the committee is pretty dumb, very political, and non-technical.
The amazing part of that story is that they had the correct concern, but decided to bother people with something stupid anyway. That's like getting a notification asking how the weather is. Things like that are exactly why I said elsewhere a gym app would be a hard no from me.
Your story makes it sound like somehow the meeting was "let's add notifications, but for what?" and landed on that, which is exactly the type of thing that will lead to massively annoying people. If they don't have an obvious customer need for notifications (clearly they don't), why have them?
The original idea was to add notifications about classes... like if you scheduled a class, to be notified if it was canceled or modified. They felt like they would rather have people be in the gym for a canceled class than to not show up at all.
Having engineers specialized in a specific stack learn on the job for the sake of/while working on a project is a great way to end up with really funky code and poor user experiences. I speak as a developer tasked with doing exactly that several times at a previous job, and the long-term is never pretty. The first code you write is immediately legacy code, but if you're learning as you write for a project that is already in motion, you're usually stuck with that legacy code until someone goes out of business or the rapture comes and they have to do a reorg because half the team was hauled to the kingdom of heaven, and now there's an MBA running the department who doesn't like you and wants to leverage AI to do the block chain.
I’ve used PureGym before, as the author points out the app is terrible, even on a good signal it takes 30s+ to “warm up”, whatever that means. I don’t want the app to “warm up”, I want the QR code right now, I’m left standing outside the gym like an idiot waiting for the bloated app to call a REST endpoint.
It’s probably developed by one or two people, likely not full time, who spend most of their time on it implementing whatever the next special promotion needs, not stuff users want.
Because that’s what they’re told to do with the little time allocated to it.
it's probably a random app development studio. the gym most likely doesn't employ their own app dev employees. the app developement studio basically cares about two things: earning money and keeping their client just happy enough so they come back. the users of the app are not their customers and at best a secondary concern.
I was talking more generally about the general design of the app. It is "ok".
I have a really rubbish signal (I live in the sticks in the North West). There was almost no reception on near the gym. It never took 30 seconds. Generally scanning the QR code itself wouldn't get recognised by the scanner. I just ended up using the 8 digit code. This was using the iPhone app.
I ended up cancelling because quite honestly I prefer walking and cycling. But I was using them until earlier this year.
Considering Pure Gym is cheap, has reasonably decent equipment and is kept clean (at least where I am). The app being a bit shit sometimes is like a whatever problem IMO.
In a single weekend the OP changed the app experience from “somewhat annoying and frustrating” to “very convenient”.
The budget required to improve the customer experience is near nothing, but I suspect no one at PureGym has actually evaluated that the experience is really not great, they probably don’t have the experience or expertise to do so.
This is it. It's a well-established gym chain, their core business is getting subscriptions and making it hard to unsubscribe - not development. If you're lucky, they have a couple of in-house web developers working on website and database maintenance, who then ask a contractor to just "make it run like an app". If you're unlucky, they outsource all their web operations to a contractor that milks them every time they want to change a title from H2 to H3.
Ya and if they add apple wallet they have to do android wallet and then that’s more code to maintain. But they could make the in house app always show the QR code on launch.
Great article, I went through something similar with TrainMore in The Netherlands, where they replaced an NFC key fob with a similarly refreshing QR code (but this one rotates every 30 seconds)
In my case, I didn't make a native app because I don't use the wallet integration.
> Number of times they've asked me to make them one: 23
> Number of times I've had to explain copyright law: 23
It's not clear to me why sharing an app that puts the qr code in Apple wallet would violate copyright law. This wouldn't require redistributing the app or any of its copyrighted contents. Maybe "unauthorized" use of the API is against TOS, but that's not illegal.
In the US, it wouldn't be, but this is the UK, which doesn't have the same views about what is and isn't copyrightable that the US has. (Despite vague sentiments to the contrary, the US is a lot better at saying, "No, you can't stop people from doing that" than the UK or the EU when it comes to overbroad attempts by creators/rightholders to exert control.)
I made a similar comment below, but I’ll add to this one too: If I, as a gym member, use their api when I run their app and that’s ok, why can I not run the same api from a third-party app for the exact same use-case? If his app asked me to punch in my eight-digit pin and then just kept that stored locally for convenience, what is the issue?
OP here. Yeah, "copyright law" was a lazy shorthand, but it reads better than "tortious interference."
PureGym's T&Cs [1] have a ridiculously long "PIN abuse policy" (probably meant to stop people sharing with mates). They can cancel memberships or even retroactively charge for gym use if you "knowingly provided your PIN to another individual."
I'm not a lawyer and don't fancy being the test case for whether entering your PIN on a third-party website/app counts as "knowingly providing" it. Given how their app works, I suspect they might just ban a bunch of accounts instead.
Though now that I think about it, the squat racks are always packed, so maybe I should just distribute the app to people who go at the same time as me.
> I'm not a lawyer and don't fancy being the test case for whether entering your PIN on a third-party website/app counts as "knowingly providing" it.
I guess I'm assuming that you would design the iOS app to collect and store the PIN number on the device, and never ever share it, since (if I read the post correctly) that's all you'd need to get to basic auth. I take your point that that might still be considered "sharing with a third party" but honestly I suspect that (a) they wouldn't notice for a long long time and (b) they would typically start by sending a c&d, not hiring a team top-notch lawyers and going straight to court unless you're really wealthy and there's some prize to be had for all of those legal fees.
Look at it this way. If I buy something from a store and pay in cash, and then the cashier takes some money from the register and hands me the change, that's okay. But if I open the register myself and take the money, they call the police.
i.e. just because it's POSSIBLE to do something doesn't mean it's okay to do it.
In the US, the Computer Fraud and Abuse Act outlaws unauthorized access to computer systems. “Unauthorized” has sometimes been interpreted to include terms of service violations. So if their click-through agreement nobody reads says you’re only allowed to use their official app to access the service, using a third party app to access it may be criminal.
I think the even better crown jewel here is that the code is predictable, with no lock-out facility at the gym door for wrong attempts. The format is (or was when I signed up) something in the format
>[minute of the hour you created the account][random number, 2 digit][day (or maybe month) of birth][year of birth]
So <59341295> is the code for a user who signed up at :59 past the hour, and their birthday is December 1995.
If you know someone’s birth month, you can just scan through ~6000 possible codes in a for loop to get their access code. At my gym, the PT coaches would celebrate their clients birthdays loudly,
I’d not be surprised if the random number component was just an integer that increases with each sign up at a gym.
Out of curiosity to the OP, did you use an AI to tweak/refine the text? It contains a lot of similar writing patterns as some read-aloud 4chan greentext/copypaste YouTube channels, especially liberal use of whimsical similes: "like it's 2000 and I'm downloading a JPEG on dial-up" "starting to feel like cosmic punishment" "like it's protecting nuclear launch codes", and jocular asides: " -- exposed to British weather, coated in a mysterious film of protein shake and regret, probably being livestreamed to TikTok by someone's ring doorbell -- ".
So I started to wonder if my AI-radar was spot on, or is that style of writing something people naturally do – because I wouldn't bother, but then again, I don't run a blog that people actually read.
I got the exact same uncanny valley feel from the text. Great article, though. Some people just don't have great writing skills and need a leg up, so I think it's totally excusable to use AI to help you write something. Writing up a little pet project like this is super valuable and I'd hate it to only exist on the author's system because they didn't enjoy writing or didn't feel good at it.
Heh, I guess so. It's just an uneasy feeling I can't get rid of. Maybe I'm just being paranoid. Then again, I wonder if the said greentexts are AI-generated still. At least the contents are likely to be fakes.
on security theater: the morons running my garbage company demand not just a email + pass but also security questions in order to login and... pay your bill. That's the functionality available.
Example security question: favorite book. Which is, naturally, case sensitive.
Someone wrote this to prevent people from stealing my password and paying my bill.
In the past, every company thought they were the next Facebook and needed to build complex super-scalable architecture because tomorrow a million users would appear out of nowhere and try to log in at the same time.
Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
> Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
But this is demonstrably the case today... I don't think I've gone a week without hearing about some major data-breach.
...my own org got h4x0red a few months ago: our CEO didn't have 2FA enabled on his God-tier global-admin-rights OIDC/SSO login and somehow, someone found our internal login page, had a snoop around, found our Twilio account keys and sold them off to some spammer who then sent spam texts to our customers (fortunately our (immutable) access logs showed there was no further intrusion, but it was still an incredibly unsettling experience considering how uninteresting and un-sexy my SaaS day-job is).
...so if it can happen to me, a random fellow HN troglodyte, then it can happen to you; or the hospital down the street from my old office[1].
Except in the real world almost every gym I've used just gives you a keychain barcode with your account number and it works fine. You scan in and it checks whether you're current. Maybe shows your picture to a front door attendant on their computer. No complicated cryptography required.
A gym requiring an app would be a hard no from me. I don't know why anyone (especially technical) would put up with that.
> I don't know why anyone (especially technical) would put up with that.
Answer from someone that has to put up with that: other gyms are significantly harder to get to (distance) and it’s already hard enough to get motivated to go. My options are shitty app or no gym.
Not everything is technically perfect and sometimes your only option is to put up with the stupidity of other developers/product managers.
...and, of course, all of these companies are just as bad at security as they are at scaling - they don't even have the capacity to understand (organizationally - I'm not anthropomorphizing them) that Experian happened because their servers were breached, not because users' accounts got stolen.
It's pathetic. There should be regulation that prevents overly onerous "security" controls on users accounts.
> garbage company demand not just a email + pass but also security questions
thank goodness they do this, because I use the same email + password with my garbage as with my bitcoin wallet, my brokerage account and my online mistress finder app.;
My utility company used to include the bill amount in their email which I used to pay using my banking app. But no, where is the fun in that! So they built an app, because what is the utility of a utility company without an app, removed the amount from the email so that I can give my fingertips some much needed workout and open the cursed app just to see the amount. I think the app has a feature to pay as well but being the minor lord of pettiness that I am, I refuse to use that and still pay using my trusty banking app.
They do that to match your device ID or cookies with their customer records. Since cookies don't last long they prefer to have you do that every month.
My supermarket requires email 2Fa for grocery delivery and enforces it on basically every login. It means whenever my wife or I are doing the shopping we have to have the account owner there to get the secondary code.
I keep meaning to auto forward all emails from then to me….
There has been a spate of Russian hackers recently paying other people's garbage bills, it's becoming an epidemic. The company is right to want to curtail it by asking you for your favourite books, which is the hobbit, not the Hobbit
Truth: "PureGym probably has a roadmap, sprint planning, and very good reasons for not implementing Apple Wallet. Maybe it's not a priority. Maybe they have data showing only 0.3% of users would use it. Maybe their KPIs are based on the number of online classes previewed in the app, and forcing users to see them every time the app loads secures someone's annual bonus."
The service itself is a several week endeavor to do properly, you have to understand the impact of all the pushed passes on the QR code generator, put together telemetry, dashboards, and alerting for the new service. Depending on their infrastructure that could be difficult to spin up. You have to do a design and review with the team so this isn’t just understood by one person and can be supported by a team. Documentation, ADRs, etc. setting up processes for managing the cert chain over the long term. And you probably want to keep parity between the iOS and android apps, so you need to understand that work.
Then yeah, it lowers engagement with the app, which is probably tied to someone’s bonus.
A lot of those pain points are involved by virtue of being the original developer. Generating a QR code every single minute for every single user can indeed easily lead to issues, but that's much less of an issue when you're able to change the QR code validity to, say, a week.
If you use online validation you can even dynamically rotate them whenever it suits you - either to adjust server load, or as some kind of "every Nth check-in" scheme. Heck, with online validation it doesn't even matter if the rotation service goes offline for a while!
Or just generate a fixed QR code which never changes. You know, like the 8-digit pin the QR code is the alternative for.
Great work! I did something similar before with supermarket loyalty cards before Wallet support was widespread, even had the. Co-op loyalty balance on the card which updated.
Many gyms let you rent lockers by the month, so you can store your gym bag there and be able to drop by without necessarily having planned on it when you left home. Can’t do that if you have to carry a wristband around to get in.
Did I interpret correctly that this sends a push notification every minute telling your phone to download a new code? If so, that seems like a battery problem…
I think ideally you'd do it maybe every day or so, so that if the user goes offline for a while, or the server you're running goes down or something, the pass will continue to work for at least 6 days. It buys you a lot of time to fix things.
Yeah, screenshot on Monday, messed with the app that evening, tried using it Tuesday morning -- dead.
I've seen people on PureGym's Twitter successfully refreshing screenshots weekly though, and the API response suggests the same.
That being said, I couldn't find a validation endpoint to check if mine got invalidated by something specific (maybe signing out?) or if there's some other magic happening.
I wonder if opening the app invalidated it, and those people who had it working just screenshot once.
My gym has a similar system but I realised it's time based and the app functions without Internet. I installed the app onto an old android with no sim, logged in at home over WiFi and it successfully regenerated QRs without data
You can send background push notifications which are delivered when the phone is ready for them. They don't deliver when the phone is low battery or in low battery mode. It's specifically made to reduce battery consumption.
Higher priority push notifications require a user visible UI element and ca be delivered regardless of certain low power situations.
It sounds like this only helps power consumption after you've already run low on power. Seems like processing frequent notifications would accelerate your progress toward that low power state.
> My first approach was embarrassingly naive. "I'll just screenshot the QR code and add it to Apple Wallet as a static image!"
> Reader, I actually did this.
How? I’m very interested in that part.
I remember wanting it because (despite it being possible) services don’t usually allow you to add Wallet passes when you buy from the web, instead requiring you to install their app (which I do not want). But I can already see myself using this for services which don’t even provide Wallet passes.
From the author’s wording, it seems there’s a way to add such screenshots without using a third-party app.
Thank you for the recommendation, but I don’t want to pay a subscription for something I use sporadically, especially (according to the App Store page) an AI-generated app which tracks you. I want to do what the author mentioned: take a static image and add it to Wallet. I don’t mind some legwork.
> anyone with an Apple dev account can do the same with Passkit.
Yes, that’s what the article is about, I read it all. But the author also mentioned the screenshot approach before using Passkit and called it the naive approach, so it’s likely they did something considerably simpler.
Feels like I’m on the worst parts of Stack Overflow and Reddit. I know other options exist, I’m asking about one specific approach. It is OK to not reply or say “I don’t know how to do it like that”. That’s fine, I don’t know either and I’m not embarrassed by that, that’s why I’m asking. I want to learn a new trick.
> But the author also mentioned the screenshot approach before using Passkit and called it the naive approach, so it’s likely they did something considerably simpler.
I guess I didn't realize it was that simple a question.
The "how" there is "take a screenshot of the first-party app". In many cases (especially with physical barcodes like a loyalty card you can just photograph), that's all you need; just keep it in your photo roll. It didn't work in this case because the QR codes contain some sort of signature or expiration date that prevents a screenshot from last week from working this week.
I mean, clearly, that’s the whole point of the article. What I’m asking is how do you make a wallet pass from a static image. Is is difficult? Is it simple? What are the steps?
This is like if I asked “how do I boil an egg” and you had answered “you can boil an egg yourself”. Yes, I know that. That’s obvious but also unhelpful. The correct (short) answer would’ve been “bring water to a boil on the stove, lower an egg into it, wait around 10 minutes, turn it off and place the egg in cold water for an easier peel”. Or “here’s a link with instructions: <URL>”.
> What I’m asking is how do you make a wallet pass from a static image. Is is difficult? Is it simple? What are the steps?
It's simple, there are lots of libraries that can generate it. You can probably even ask Claude Code or something like that to generate you one.
I understood your question as: can I do this myself or do I need an app and the answer is that you can do it yourself. The documentation for it is easily Googleable.
What you need is a signing key so you will need to pay the apple tax.
> A Pass Type ID certificate from Apple Developer Portal
How much does this cost? I'd love to create Apple Wallet passes for things, but I'm weary of setting up a Apple Developer account and paying even more fees for just this.
The Pass Type ID certificate requires an Apple Developer Program membership which costs $99/year, but there are no additional fees specifically for Wallet pass functionality.
This is obnoxious given PKPass is an open standard. Third party apps can use them without any requirement to be verified by some authority, but Apple just has to maintain some sort of control.
It could be interesting to understand the actual content of the qrcode.
part1 is a static id, so likely linked to the membership.
part2 seems to be a timestamp. Maybe we can try to forge the value to "now - 10 seconds".
And if the implementation has been done right, the "part3" should be a signature of part1 and part2, not a "salt" (so forging part2 should be detected and code rejected).
Judging by the size of the qr code, part 3 is too short to be a signature. Probably the token is just registered in a centralized system that the qr code scanner checks with to see if the code is valid.
I heartily approve of this kind of guerrilla development.
The only downside is that they hold all the keys to the kingdom, so either they (or someone inside the org with political weight) will be pissed off straight out of the gate, or you’ll always be walking on eggshells trying your best to not piss them off.
I love reading about this sort of thing. My personal solution to the issues with the app and the wait for it to work (if it worked) was to memorize the pin. I believe I'm still quicker getting in than even the OPs solution, and with less hassle too since I don't need a device or any services.
> Should I package this up properly? Probably not: it's a proof of concept that solves my specific problem. Plus, PureGym would probably just hire me to shut it down, and I'm not ready for that level of corporate responsibility.
Don’t take a job if they offer one to you then?
> SaaS Dreams: Package this properly, get sued immediately, become a cautionary tale at product management conferences.
I genuinely don’t think that this is how it would go down, unless you’re marketing it as an official product. As a consumer I’m allowed to buy things that I find useful, and if this was packaged as a third-party convenience for personal use I don’t see the issue.
I suppose that if the company even noticed (very unlikely) they could get pissy but then I’d expect a c&d to arrive not some multi-million dollar lawsuit. Caving in at this point is an option.
Honestly I think getting past app review and into the App Store would be the hard part.
wouldn't work for me because i usually don't have my gym bag with me when i don't plan going. have a regular schedule and a program with a progression scheme.
lol counting the amount of “time saved” to justify the amount of time u spent building the thing is relatable but also slightly cancerous if it takes over your mindset in the building or brainstorming process. (which unless it’s a jokey bit that has no core of truth it might very well do.)
I used to do it too and in my mind I still do out of habit but I try not to let it influence projects anymore, what else will I do with my time + doing stuff like this keeps ur skills up to date.
I would say that for something like this, it’s still worth it even if you spent more time on it than you’ll ever save.
Not only have you learned new skills and got better at the craft, but you also removed a frequent source of frustration and get satisfaction every time your system works and you remember “heck yeah, I did this”. It increases your happiness and well-being overall into the future and keeps on giving.
It’s still true. I said something like this, not only this specifically. But even for this exact case it would remain true for me. I have several situations where that has been the case, I’m speaking from experience. Maybe it wouldn’t be true for you—which is fair, everyone is different—but don’t ignore the gained experience which makes the next project even faster to finish.
I can't believe this criminal that is writing this. Won't people think of the poor data brokers that are sucking down data from this forced app about who he is, what his device profile is, where is location is etc?
It doesn't to me. I can tell AI writing because it has irrelevant details that don't add facts or colour to the story, but this doesn't have any of that really. The tangents come across as human, not AI doing a bad impression of human.
Things like em-dashes are a really bad way to detect AI because they can be good grammar and improve text readability, same with curly quotes. I use them all the time in my writing, and I wouldn't be surprised if this iOS dev feels similarly as Apple platforms have emphasised this stuff for years.
Humorously, after re-learning about em-dashes due to their use by AI (an otherwise forgotten part of high-school English), I started using them more often in my writing. They really do look nicer!
As an academic I’ve always used “delve”, too, so at this point I guess my writing is going to be flagged as AI a lot…
I do note that some of the AI slop I’ve received from students include other fancy Unicode characters (superscript numerals, variant Greek letters, blackboard bold R, etc.) that are difficult to type, and which especially would not be used in e.g. code comments. em-dashes at least can be produced by certain word processors or text IMEs automatically, whereas many of these others require specifically looking for the character.
> some of the AI slop I’ve received from students include other fancy Unicode characters... that are difficult to type...
This is the bit I'd still caution against. Yes AI does this, but also writing in some software will correct 1/2 to ½, writing in tools that support MathJax will give you nice greek letters, etc. At university I spent days setting up nice LaTeX setups so that I could get good looking documents, including documents that didn't immediately appear to be LaTeX authored.
I think it's best to focus on the content, the writing quality, whether it targets the right audience, and whether it answers the question or just features a lot of words in the right ballpark. Focusing on the specific words and mechanical features of the text is going to catch out the wrong students, and it's going to be harder to justify from your perspective because you can't score a student badly for using an esoteric unicode character.
Since you know the tells of LLM generated text, you'll know that this is a classic: No X. Just Y.
Proxyman -- pick your poison.
And if you're from PureGym reading this—let's talk.
There's a mixture of em dashes joining words and double hyphens spaced between words, suggesting the former were missed in a find and replace job.
"And if you're from [COMPANY] reading this[EM DASH]let's talk" is a classic GPT-ism.
It's like the API is saying "Hey buddy, I know this is odd, but can you poll me every minute? Thanks, love you too."
Shame Notifications: "You were literally 100 meters from the gym and walked past it"
It's just a ZIP archive with delusions of grandeur
Clear examples of fluff. Not only do these fail to "add facts or colour to the story", they actually detract from it.
I agree with you that em dashes in isolation are not indicative, but the prose here is dripping with GPT-speak.
OP here! Appreciate you actually pulling examples instead of just dropping "this is AI".
> There's a mixture of em dashes joining words and double hyphens spaced between words, suggesting the former were missed in a find and replace job.
The em dash conspiracy in the comments today is amazing -- I type double hyphens everywhere, and some apps (e.g a Telegram bot I made for drafts, or the macOS' built-in auto-correct) replace them with em dashes automatically–I never bother to edit those out (ok, now this one I put here on purpose).
> It's just a ZIP archive with delusions of grandeur
> Clear examples of LLM fluff that don't "add facts or colour to the story".
Yeah, no that's fair enough, should've known better than to attempt humour on HN.
I've got to say though, pkpass is a ZIP archive, and no ZIP archive should require one to spend 3 hours to sign it.
I enjoyed the humour.
(We’re heading towards a sad world if any attempt at levity in an article is interpreted as evidence of LLM usage by critical killjoys.)
Edit: total random thought: something in your prose shouted ‘Brit’ to me very quickly. Is it possible that part of this is simply cultural differences in humour and writing, and over-interpretation of subtle differences as evidence of LLM use?
Or do LLMs just write in a subtlety more British style because, well, Shakespeare and Dickens and Keats and Milton? Or does ChatGPT just secretly channel PG Wodehouse?
Authors use humour as a form of connection with their audience. It's a way of saying hey I'm a human and I have the same human experiences as you dear reader. Take the first paragraph for example:
> Wednesday, 11:15 AM. I'm at the PureGym entrance doing the universal gym app dance. Phone out, one bar of signal that immediately gives up because apparently the building is wrapped in aluminum foil
It says, "Hey I'm a human who goes to the gym and experiences the same frustrations as you do". Now imagine for a second this paragraph was written by AI. The AI has never been to the gym, the AI doesn't feel impatience trying to pass through the turnstile, the AI has never experienced the anxiety of a dodgy internet connection in a large commercial building. The purpose of any humour in this paragraph is completely undermined if you assume it was actually written by AI.
So please don't conflate being anti-LLM with being anti-humour. It's just the opposite. We want humour because we want to feel a connection with our fellow humans and for the same reason we should also want writing that comes from a human, not a machine.
> So please don't conflate being anti-LLM with being anti-humour. It's just the opposite.
I'm not.
I'm trying to analyse, or hypothesise, why this author's particular writing style seemed to trigger people's nascent LLM warning heuristics.
I considered the humour, because, well, other people brought it up. From the surrounding discussion, it seemed that the jocular writing style was one of the points generating suspicion.
Does sound like some people just don't get the humour which is fine, personally I liked it (but then I am british).
British people do tend to have a fairly humorous indirect way of communicating that can take some getting used to for people from other cultures, but that doesn't mean we're all secretly LLMs
FWIW, I found "It's just a ZIP archive with delusions of grandeur" pretty funny and for me it was an example of a human adding (relevant) colour to the content.
I swear some folks have just been normalised to the shit writing that AI does so much that they look for tricks like punctuation rather than just reading the damn text. Although maybe they're just blatting the whole thing into ChatGPT and asking it to summarise, or determine if it's AI generate.
FWIW I enjoyed the article and the humour, and I don't know where the AI conspiracy is coming from – I wish I could get the AI to write copy this good. So thanks, that was a fun read!
There’s no such thing as “AI dashes”. Em-dashes are valid typographical marks which have been employed for literal centuries. The only reason LLMs even used them is because humans do too, as they were trained on that input. It’s your prerogative to not care about proper punctuation, but that in no way indicates that those who do are machines.
I was thinking the same thing -
Went back and re-read it though, and I think it’s more that the author wrote a first draft and then had AI to help spice some stuff up. He either:
1. Used AI to help and doesn’t care if it sounds a little AI generated / actually likes it
2. Didn’t use AI but reads enough AI slop that his writing style is directly influenced by it (scary)
3. Used AI but doesn’t use AI enough to immediately recognize when language sounds like it was generated by ChatGPT and didn’t bother correcting (this is my guess)
There’s a few times I got tripped up because it went from pretty human writing to “holy shit shit that’s ChatGPT I’m going to stop reading,” yet the author would save it with human writing right after.
This is kind of a ramble, but it actually was one of those pieces of writing that I felt was genuine and improved by some of the ChatGPT language rather than just clickbait garbage - I could tell the author was just trying to make it worthwhile and interesting to read, and I honestly really enjoyed it.
"The crown jewel? Your 8-digit gym door PIN is your API password and you most likely didn't set it yourself. The same PIN that hasn't changed since the iPhone 8 was cutting-edge technology."
This is a great post, it captures the true essence of an engineer. It is funny, intriguing, and inspirational. Congrats! You are a hacker at heart.
When I went to the US for 3 months I joined PureGym and they gave me a PIN number. I cancelled my membership after that, and one day Chrome told me my PureGym PIN had been compromised. 2 years later, I went to the US again, rejoined, and received the same PIN. Massive red flag.
I was also intrigued by the app, the token and PIN, and remember finding a security flaw in the system that activates the hydro massage chairs. It accepts your PIN or any PIN, with no security at all.
> Chrome told me my PureGym PIN had been compromised
This is likely a false positive, if chrome is using haveibeenpwned API.
e.g. A pin of 87623103
Hashes to 558B4C37F6E3FF9A5E1115C66CEF0703E3F2ADEE
We get the range from HaveIBeenPwned:
https://api.pwnedpasswords.com/range/558B4
And search for C37F6E3FF9A5E1115C66CEF0703E3F2ADEE
And see it's "Compromised" and seen 3 times before.
In case anyone else was wondering, not all 8 digit pins are "compromised", although many are, and of course an 8 digit pin has limited security in any automatable scenario.
To get an example that was already in the haveibeenpwned dataset, I wrote a quick script:
The "most compromised" I've seen so far is "17385382", in the DB an astonishing 119 times. It would only take a few hours to iterate through all pins and collect stats for all pins.> not all 8 digit pins are "compromised"
Sure they have been, I can send you a text file with all of them. It's 850MB, but i expect it compresses very well.
There's a reason I put "compromised" in quotes. By that I mean that not all 8 digit numbers are yet flagged in haveibeenpwned.
Of course there's no world in which they're actually a secure password, which is why it's kind of insane to treat them as one.
>17385382
That's a truncated 9 digit pin of a unix timestamp.
Well yeah if you’re enumerating every 8 digit number you’re of course going to get parts of larger numbers.
Seems a stretch... What is special about that time?
If you truncate the current time to make it 8 digits long, every timestamp since the 2nd of February 2025 would return this result.
No... Only timestamps on Feb 2nd 2025. So what happened that day?
I had this constantly the last couple of days. I've been doing some UI mockups in Claude and it includes a password field, and either it puts in a placeholder of like 1234 or I type asdf to test the field. Then as soon as I do anything else Chrome has a fit because "my" password has (obviously) been "pwned."
I've received the same PIN from an entirely different gym chain, albeit one using the same door system.
As you say, a massive red flag indicating it's not using a lot of sources of entropy.
What worries me the most is that if the ACS can't issue new PINs, there's no way to replace them. If a single PIN is shared or compromised, anyone with it can walk in undetected until the whole system is replaced. And if the entire PIN list is exposed, all hell breaks loose.
Or they just reactivated his previously canceled account and it still had a pin associated
PureGym is located where in the US? I can’t find any locations just in the UK
https://www.purefitness.com/
PureFitness is the same as PureGym?
I honestly don’t know
If you click "USA" on PureGym it takes you to PureFitness. Maybe that wasn't always the case.
My favourite inexplicable feature of the PureGym app on iOS is that when you open it, it stops any audio you are listening to. In the same way as if you have opened another audio app. Yet it isn’t playing any sound. Crazy
Two possibilities spring to mind:
1. They will have added code that declares the app requires an exclusive audio context. So iOS pauses all other audio when the app is foregrounded.
Or
2. It’s possible that they use anti screenshot technology which sometimes involves embedding a secure video in place of an image. The video playback might be grabbing the audio context.
I've had this a few times on Android (eg the new Subway app). I'm 99% sure it's the latter but not for security, just a fancy splash screen animation that was implemented as a video without thinking about setting it as "no audio".
Tell me a bigger red flag to identify junk apps. Every "homemade" low cost app has similar inexplicable bugs that they don't care to fix.
My bank app forwards me to the settings every time I try to send a bank wire because I never allowed access to contacts.
Apple doesn’t care to fix it either. Why can an app repeatedly turn off the podcast I’m listening to yet I have no recourse to stop it?
I have to keep pressing Play on my airpods. If I’m not using airpods it can be impossible to resume my own audio with the app open.
Audio apps have greater permissions to run the background, right? Wonder if it’s related to that.
Same with the Technogym app on Android. Every time I connect to a new piece of equipment my audio pauses. Infuriating!
> Think about this for a second. The physical keypad -- exposed to British weather, coated in a mysterious film of protein shake and regret, probably being livestreamed to TikTok by someone's ring doorbell -- accepts my ancient PIN without question. But the digital QR code needs cryptographic rotation that would make the NSA jealous.
Great writing!
Does this post read like an LLM wrote it to anyone else? Not a big deal if it does but it feels like it’s trying too hard.
It took years for people to accept that some photos had filters applied, enhancing them to look as good as professional shots. The same will happen with text.
This is a great blog post, whether it's editorialised or not.
"and very good reasons for not implementing Apple Wallet"
Judging by the screenshots, it looks like a thin wrapper around a mobile-optimized web site, or at best something like Flutter, so the likelihood that they have in-house developers that are sufficiently versed in the dustier corners of Apple's APIs is slim.
So why can’t they learn? We have Google, we have Stack Overflow, we have LLMs. My cynical take is that there’s just nobody there who gives a shit about the UX, most likely the team that built all of their backend stuff is long gone (quit or laid off) and now there’s a skeleton team of the cheapest possible engineers just keeping it running.
I used to work in the fitness industry, and we built apps for some big players (not PureGym, though they were a customer for other parts of our stuff). Anyway, we'd often sit in meetings with them to discuss new features. One time, we discussed adding notifications. They got hung up on this -- there were about 8 different departments -- and they decided to add a notification to ask how clean the gym was... because it was "safe". These people, in general, are terrified of scaring away members by bothering them about anything.
But yeah, we cared deeply about the UX/UI, but these things are built by committee and the committee is pretty dumb, very political, and non-technical.
The amazing part of that story is that they had the correct concern, but decided to bother people with something stupid anyway. That's like getting a notification asking how the weather is. Things like that are exactly why I said elsewhere a gym app would be a hard no from me.
Your story makes it sound like somehow the meeting was "let's add notifications, but for what?" and landed on that, which is exactly the type of thing that will lead to massively annoying people. If they don't have an obvious customer need for notifications (clearly they don't), why have them?
The original idea was to add notifications about classes... like if you scheduled a class, to be notified if it was canceled or modified. They felt like they would rather have people be in the gym for a canceled class than to not show up at all.
Thanks for the insight.
Having engineers specialized in a specific stack learn on the job for the sake of/while working on a project is a great way to end up with really funky code and poor user experiences. I speak as a developer tasked with doing exactly that several times at a previous job, and the long-term is never pretty. The first code you write is immediately legacy code, but if you're learning as you write for a project that is already in motion, you're usually stuck with that legacy code until someone goes out of business or the rapture comes and they have to do a reorg because half the team was hauled to the kingdom of heaven, and now there's an MBA running the department who doesn't like you and wants to leverage AI to do the block chain.
> So why can’t they learn?
Who "they"? The vast majority of companies don't have a staff of programmers. These apps are outsourced to cheap consultancies.
It is a gym app. Realistically as the article says it really doesn't have to change much.
The UX of that app is actually "ok". While it is a wrapper around their mobile site it works well enough.
I’ve used PureGym before, as the author points out the app is terrible, even on a good signal it takes 30s+ to “warm up”, whatever that means. I don’t want the app to “warm up”, I want the QR code right now, I’m left standing outside the gym like an idiot waiting for the bloated app to call a REST endpoint.
I suspect they don’t care. They have “an app”.
It’s probably developed by one or two people, likely not full time, who spend most of their time on it implementing whatever the next special promotion needs, not stuff users want.
Because that’s what they’re told to do with the little time allocated to it.
it's probably a random app development studio. the gym most likely doesn't employ their own app dev employees. the app developement studio basically cares about two things: earning money and keeping their client just happy enough so they come back. the users of the app are not their customers and at best a secondary concern.
I was talking more generally about the general design of the app. It is "ok".
I have a really rubbish signal (I live in the sticks in the North West). There was almost no reception on near the gym. It never took 30 seconds. Generally scanning the QR code itself wouldn't get recognised by the scanner. I just ended up using the 8 digit code. This was using the iPhone app.
I ended up cancelling because quite honestly I prefer walking and cycling. But I was using them until earlier this year.
Considering Pure Gym is cheap, has reasonably decent equipment and is kept clean (at least where I am). The app being a bit shit sometimes is like a whatever problem IMO.
But exactly. The one thing you care about in a gym app is getting into the gym!
The app isn’t PureGyms core business though. I’d rather they spend £200k on extra squat racks in the gyms than on better UX on their app.
I can just memorise the 8 digit entry code and never ever open the app.
In a single weekend the OP changed the app experience from “somewhat annoying and frustrating” to “very convenient”.
The budget required to improve the customer experience is near nothing, but I suspect no one at PureGym has actually evaluated that the experience is really not great, they probably don’t have the experience or expertise to do so.
They are likely using cheap labour from India or something.. the deal went to the lowest bidder.
This is it. It's a well-established gym chain, their core business is getting subscriptions and making it hard to unsubscribe - not development. If you're lucky, they have a couple of in-house web developers working on website and database maintenance, who then ask a contractor to just "make it run like an app". If you're unlucky, they outsource all their web operations to a contractor that milks them every time they want to change a title from H2 to H3.
Isn't that the whole problem?
The core business of automobile companies is not software, but they're being kicked down by software companies.
You're not a software company until a software company shuts you down.
How could Puregym make it easier to unsubscribe? I'm sure I managed to do it in the app just a few months ago.
Ya and if they add apple wallet they have to do android wallet and then that’s more code to maintain. But they could make the in house app always show the QR code on launch.
I have the app on my phone (I just used to use the pin key pad). It looks like a wrapper around their website.
Great article, I went through something similar with TrainMore in The Netherlands, where they replaced an NFC key fob with a similarly refreshing QR code (but this one rotates every 30 seconds)
In my case, I didn't make a native app because I don't use the wallet integration.
I wrote about it here: https://blog.davidv.dev/posts/trainmore-re/
> Number of times they've asked me to make them one: 23 > Number of times I've had to explain copyright law: 23
It's not clear to me why sharing an app that puts the qr code in Apple wallet would violate copyright law. This wouldn't require redistributing the app or any of its copyrighted contents. Maybe "unauthorized" use of the API is against TOS, but that's not illegal.
In the US, it wouldn't be, but this is the UK, which doesn't have the same views about what is and isn't copyrightable that the US has. (Despite vague sentiments to the contrary, the US is a lot better at saying, "No, you can't stop people from doing that" than the UK or the EU when it comes to overbroad attempts by creators/rightholders to exert control.)
I made a similar comment below, but I’ll add to this one too: If I, as a gym member, use their api when I run their app and that’s ok, why can I not run the same api from a third-party app for the exact same use-case? If his app asked me to punch in my eight-digit pin and then just kept that stored locally for convenience, what is the issue?
OP here. Yeah, "copyright law" was a lazy shorthand, but it reads better than "tortious interference."
PureGym's T&Cs [1] have a ridiculously long "PIN abuse policy" (probably meant to stop people sharing with mates). They can cancel memberships or even retroactively charge for gym use if you "knowingly provided your PIN to another individual."
I'm not a lawyer and don't fancy being the test case for whether entering your PIN on a third-party website/app counts as "knowingly providing" it. Given how their app works, I suspect they might just ban a bunch of accounts instead.
Though now that I think about it, the squat racks are always packed, so maybe I should just distribute the app to people who go at the same time as me.
[1] https://www.puregym.com/membership-terms-conditions/
> I'm not a lawyer and don't fancy being the test case for whether entering your PIN on a third-party website/app counts as "knowingly providing" it.
I guess I'm assuming that you would design the iOS app to collect and store the PIN number on the device, and never ever share it, since (if I read the post correctly) that's all you'd need to get to basic auth. I take your point that that might still be considered "sharing with a third party" but honestly I suspect that (a) they wouldn't notice for a long long time and (b) they would typically start by sending a c&d, not hiring a team top-notch lawyers and going straight to court unless you're really wealthy and there's some prize to be had for all of those legal fees.
Look at it this way. If I buy something from a store and pay in cash, and then the cashier takes some money from the register and hands me the change, that's okay. But if I open the register myself and take the money, they call the police.
i.e. just because it's POSSIBLE to do something doesn't mean it's okay to do it.
Well, as long as you don't steal anything or assault the cashier you haven't done anything illegal (even if the police is called).
You're example fails.
In the US, the Computer Fraud and Abuse Act outlaws unauthorized access to computer systems. “Unauthorized” has sometimes been interpreted to include terms of service violations. So if their click-through agreement nobody reads says you’re only allowed to use their official app to access the service, using a third party app to access it may be criminal.
This is in the U.K.
"if we build that feature, we'd have to own it."
"You're right, keep it on the 2028 roadmap"
That would be my experience in tech at least.
I mean, the experience from my department meetings where we discuss the roadmap and plans.
"Does it earns us money? Because doing it does _cost_ us"
It's really that simple (and the to do/wishlist is actually long).
The best thing PureGym could do now? Pay the guy couple of grands for the app AND give him lifetime membership.
Because if you know someone's email address, it sounds like you get API access fairly quickly after that?
Also I trust that the scopes that you can ask for are limited appropriately?
I think the even better crown jewel here is that the code is predictable, with no lock-out facility at the gym door for wrong attempts. The format is (or was when I signed up) something in the format
>[minute of the hour you created the account][random number, 2 digit][day (or maybe month) of birth][year of birth]
So <59341295> is the code for a user who signed up at :59 past the hour, and their birthday is December 1995.
If you know someone’s birth month, you can just scan through ~6000 possible codes in a for loop to get their access code. At my gym, the PT coaches would celebrate their clients birthdays loudly,
I’d not be surprised if the random number component was just an integer that increases with each sign up at a gym.
OP here!
> it sounds like you get API access fairly quickly after that?
Yes, that's correct; I am yet to hit the rate-limit but from my experience with the official app/website, it's quite forgiving to failed attempts.
The scope in the post is the one used by the app and other unofficial clients on GitHub [1][2], so I doubt there are more options beyond that.
-- [1] https://github.com/0wain/puregym-api-php-wrapper/blob/main/s... [2] https://github.com/2t6h/puregym-attendance/blob/main/puregym...
Nice solution!
Out of curiosity to the OP, did you use an AI to tweak/refine the text? It contains a lot of similar writing patterns as some read-aloud 4chan greentext/copypaste YouTube channels, especially liberal use of whimsical similes: "like it's 2000 and I'm downloading a JPEG on dial-up" "starting to feel like cosmic punishment" "like it's protecting nuclear launch codes", and jocular asides: " -- exposed to British weather, coated in a mysterious film of protein shake and regret, probably being livestreamed to TikTok by someone's ring doorbell -- ".
So I started to wonder if my AI-radar was spot on, or is that style of writing something people naturally do – because I wouldn't bother, but then again, I don't run a blog that people actually read.
I got the exact same uncanny valley feel from the text. Great article, though. Some people just don't have great writing skills and need a leg up, so I think it's totally excusable to use AI to help you write something. Writing up a little pet project like this is super valuable and I'd hate it to only exist on the author's system because they didn't enjoy writing or didn't feel good at it.
Glad to know that I wasn't alone with my feeling!
was looking for this comment. excellent writeup nevertheless :)
Did you use an AI to tweak/refine your comment? It's:
* Written more formally than the typical HN comment
* Uses uncommon language like "jocular asides" and "whimsical similes"
* Fails to recognize that those mentioned phrases are cliches that people have been using for ages, long before LLMs
In short, recalibrate your AI radar, it's malfunctioning.
Heh, I guess so. It's just an uneasy feeling I can't get rid of. Maybe I'm just being paranoid. Then again, I wonder if the said greentexts are AI-generated still. At least the contents are likely to be fakes.
on security theater: the morons running my garbage company demand not just a email + pass but also security questions in order to login and... pay your bill. That's the functionality available.
Example security question: favorite book. Which is, naturally, case sensitive.
Someone wrote this to prevent people from stealing my password and paying my bill.
In the past, every company thought they were the next Facebook and needed to build complex super-scalable architecture because tomorrow a million users would appear out of nowhere and try to log in at the same time.
Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
> Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
But this is demonstrably the case today... I don't think I've gone a week without hearing about some major data-breach.
...my own org got h4x0red a few months ago: our CEO didn't have 2FA enabled on his God-tier global-admin-rights OIDC/SSO login and somehow, someone found our internal login page, had a snoop around, found our Twilio account keys and sold them off to some spammer who then sent spam texts to our customers (fortunately our (immutable) access logs showed there was no further intrusion, but it was still an incredibly unsettling experience considering how uninteresting and un-sexy my SaaS day-job is).
...so if it can happen to me, a random fellow HN troglodyte, then it can happen to you; or the hospital down the street from my old office[1].
In conclusion: we're doomed.
[1] https://therecord.media/seattle-fred-hutch-cancer-center-ran...
Except in the real world almost every gym I've used just gives you a keychain barcode with your account number and it works fine. You scan in and it checks whether you're current. Maybe shows your picture to a front door attendant on their computer. No complicated cryptography required.
A gym requiring an app would be a hard no from me. I don't know why anyone (especially technical) would put up with that.
> I don't know why anyone (especially technical) would put up with that.
Answer from someone that has to put up with that: other gyms are significantly harder to get to (distance) and it’s already hard enough to get motivated to go. My options are shitty app or no gym.
Not everything is technically perfect and sometimes your only option is to put up with the stupidity of other developers/product managers.
...and, of course, all of these companies are just as bad at security as they are at scaling - they don't even have the capacity to understand (organizationally - I'm not anthropomorphizing them) that Experian happened because their servers were breached, not because users' accounts got stolen.
It's pathetic. There should be regulation that prevents overly onerous "security" controls on users accounts.
> garbage company demand not just a email + pass but also security questions
thank goodness they do this, because I use the same email + password with my garbage as with my bitcoin wallet, my brokerage account and my online mistress finder app.;
My utility company used to include the bill amount in their email which I used to pay using my banking app. But no, where is the fun in that! So they built an app, because what is the utility of a utility company without an app, removed the amount from the email so that I can give my fingertips some much needed workout and open the cursed app just to see the amount. I think the app has a feature to pay as well but being the minor lord of pettiness that I am, I refuse to use that and still pay using my trusty banking app.
They do that to match your device ID or cookies with their customer records. Since cookies don't last long they prefer to have you do that every month.
More details here: https://hightouch.com/blog/what-is-identity-resolution
My supermarket requires email 2Fa for grocery delivery and enforces it on basically every login. It means whenever my wife or I are doing the shopping we have to have the account owner there to get the secondary code.
I keep meaning to auto forward all emails from then to me….
There has been a spate of Russian hackers recently paying other people's garbage bills, it's becoming an epidemic. The company is right to want to curtail it by asking you for your favourite books, which is the hobbit, not the Hobbit
I bet the password expires every 6 months too
Truth: "PureGym probably has a roadmap, sprint planning, and very good reasons for not implementing Apple Wallet. Maybe it's not a priority. Maybe they have data showing only 0.3% of users would use it. Maybe their KPIs are based on the number of online classes previewed in the app, and forcing users to see them every time the app loads secures someone's annual bonus."
The service itself is a several week endeavor to do properly, you have to understand the impact of all the pushed passes on the QR code generator, put together telemetry, dashboards, and alerting for the new service. Depending on their infrastructure that could be difficult to spin up. You have to do a design and review with the team so this isn’t just understood by one person and can be supported by a team. Documentation, ADRs, etc. setting up processes for managing the cert chain over the long term. And you probably want to keep parity between the iOS and android apps, so you need to understand that work.
Then yeah, it lowers engagement with the app, which is probably tied to someone’s bonus.
A lot of those pain points are involved by virtue of being the original developer. Generating a QR code every single minute for every single user can indeed easily lead to issues, but that's much less of an issue when you're able to change the QR code validity to, say, a week.
If you use online validation you can even dynamically rotate them whenever it suits you - either to adjust server load, or as some kind of "every Nth check-in" scheme. Heck, with online validation it doesn't even matter if the rotation service goes offline for a while!
Or just generate a fixed QR code which never changes. You know, like the 8-digit pin the QR code is the alternative for.
Great work! I did something similar before with supermarket loyalty cards before Wallet support was widespread, even had the. Co-op loyalty balance on the card which updated.
I’ve always used the physical PIN code to get in because I just instinctively don’t trust the app to load reliably; never felt so validated
Both the PIN and the app feel like terrible ideas. The gym I go to uses NFC wristbands, for the turnstiles but also for the lockers.
You can actually do this, as a fob, but you have to buy one from a vending machine in the gym. Remembering the pin is easier.
That’s also really bad. Who wants to carry a wristband around everywhere? Keychain barcode tag works fine.
What do you mean everywhere? You just throw it into your gym bag.
Many gyms let you rent lockers by the month, so you can store your gym bag there and be able to drop by without necessarily having planned on it when you left home. Can’t do that if you have to carry a wristband around to get in.
I've never been to a PureGym; if you guys use a PIN-pad to enter does that mean they're like those unattended 24/7 gyms?
...or if they do have an attendant there, why can't they let you in with a friendly greeting like they used to in some imagined past?
They're 24/7. There are usually some staff onsite during the day, but all the entry/exit stuff is always through the automated gates.
The real travesty here is how bad the official app is. For example, the Planet Fitness app takes 7 seconds to go from closed to showing a QR code.
I did something very similar for Fitness SF in the Bay Area!
https://blog.alexbeals.com/posts/custom-apple-wallet-passes
Love the writing style, good fun but full of interesting technical detail too
Did I interpret correctly that this sends a push notification every minute telling your phone to download a new code? If so, that seems like a battery problem…
The article mentions they need to be refreshed every week, so I'd guess at most once a week.
I think ideally you'd do it maybe every day or so, so that if the user goes offline for a while, or the server you're running goes down or something, the pass will continue to work for at least 6 days. It buys you a lot of time to fix things.
The RefreshAt is a week, but if the code is actually valid for a week, it's not clear why a simple screenshot of the code didn't work.
It seems like it did work and they didn't want to deal with manually updating it weekly
I don't know security that well but if the puregym app refreshes the token then the old tokens would expire immediately right?
Nope. As I read it, any token less than a week old would work. So for any user, they have 7 * 24 * 60 tokens live at any time.
He said the code from Monday didn't work on Tuesday
Yeah, screenshot on Monday, messed with the app that evening, tried using it Tuesday morning -- dead.
I've seen people on PureGym's Twitter successfully refreshing screenshots weekly though, and the API response suggests the same.
That being said, I couldn't find a validation endpoint to check if mine got invalidated by something specific (maybe signing out?) or if there's some other magic happening.
I wonder if opening the app invalidated it, and those people who had it working just screenshot once.
My gym has a similar system but I realised it's time based and the app functions without Internet. I installed the app onto an old android with no sim, logged in at home over WiFi and it successfully regenerated QRs without data
no
Because you’d have to waste the time to take a new screenshot every week, of course.
Probably invalidates old tokens when a new one is generated.
You can send background push notifications which are delivered when the phone is ready for them. They don't deliver when the phone is low battery or in low battery mode. It's specifically made to reduce battery consumption.
Higher priority push notifications require a user visible UI element and ca be delivered regardless of certain low power situations.
It sounds like this only helps power consumption after you've already run low on power. Seems like processing frequent notifications would accelerate your progress toward that low power state.
Yeah but many people turn on Low Power Mode manually every time they unplug or via automation at a high threshold.
> Higher priority push notifications require a user visible UI element
The QR code for a pass sure sounds like a priority user visible UI element.
Only if it’s visible, from the sound of it these are background notifications so that the QR code can be ready if you open the pass.
> My first approach was embarrassingly naive. "I'll just screenshot the QR code and add it to Apple Wallet as a static image!"
> Reader, I actually did this.
How? I’m very interested in that part.
I remember wanting it because (despite it being possible) services don’t usually allow you to add Wallet passes when you buy from the web, instead requiring you to install their app (which I do not want). But I can already see myself using this for services which don’t even provide Wallet passes.
From the author’s wording, it seems there’s a way to add such screenshots without using a third-party app.
I use an app called Pass2Wallet that lets me turn any barcode (loyalty cards etc.) into a Wallet pass, with location based invocation etc.
Thank you for the recommendation, but I don’t want to pay a subscription for something I use sporadically, especially (according to the App Store page) an AI-generated app which tracks you. I want to do what the author mentioned: take a static image and add it to Wallet. I don’t mind some legwork.
Pass4Wallet does the same thing and does not have a subscription. It claims to not collect data on the App Store page.
https://apps.apple.com/us/app/pass4wallet-store-cards/id1423...
I don’t pay for it, but anyone with an Apple dev account can do the same with Passkit. This just makes it easy to test it out.
> anyone with an Apple dev account can do the same with Passkit.
Yes, that’s what the article is about, I read it all. But the author also mentioned the screenshot approach before using Passkit and called it the naive approach, so it’s likely they did something considerably simpler.
Feels like I’m on the worst parts of Stack Overflow and Reddit. I know other options exist, I’m asking about one specific approach. It is OK to not reply or say “I don’t know how to do it like that”. That’s fine, I don’t know either and I’m not embarrassed by that, that’s why I’m asking. I want to learn a new trick.
> But the author also mentioned the screenshot approach before using Passkit and called it the naive approach, so it’s likely they did something considerably simpler.
I guess I didn't realize it was that simple a question.
The "how" there is "take a screenshot of the first-party app". In many cases (especially with physical barcodes like a loyalty card you can just photograph), that's all you need; just keep it in your photo roll. It didn't work in this case because the QR codes contain some sort of signature or expiration date that prevents a screenshot from last week from working this week.
If it has to be in wallet, https://developer.apple.com/documentation/passkit/pkpasstype....
You can create wallet files yourself.
I mean, clearly, that’s the whole point of the article. What I’m asking is how do you make a wallet pass from a static image. Is is difficult? Is it simple? What are the steps?
This is like if I asked “how do I boil an egg” and you had answered “you can boil an egg yourself”. Yes, I know that. That’s obvious but also unhelpful. The correct (short) answer would’ve been “bring water to a boil on the stove, lower an egg into it, wait around 10 minutes, turn it off and place the egg in cold water for an easier peel”. Or “here’s a link with instructions: <URL>”.
> What I’m asking is how do you make a wallet pass from a static image. Is is difficult? Is it simple? What are the steps?
It's simple, there are lots of libraries that can generate it. You can probably even ask Claude Code or something like that to generate you one.
I understood your question as: can I do this myself or do I need an app and the answer is that you can do it yourself. The documentation for it is easily Googleable.
What you need is a signing key so you will need to pay the apple tax.
> A Pass Type ID certificate from Apple Developer Portal
How much does this cost? I'd love to create Apple Wallet passes for things, but I'm weary of setting up a Apple Developer account and paying even more fees for just this.
The Pass Type ID certificate requires an Apple Developer Program membership which costs $99/year, but there are no additional fees specifically for Wallet pass functionality.
As far as I can tell, it’s included with the base product. But to keep it active you’d have to renew the developer subscription every year.
This is obnoxious given PKPass is an open standard. Third party apps can use them without any requirement to be verified by some authority, but Apple just has to maintain some sort of control.
It could be interesting to understand the actual content of the qrcode. part1 is a static id, so likely linked to the membership.
part2 seems to be a timestamp. Maybe we can try to forge the value to "now - 10 seconds".
And if the implementation has been done right, the "part3" should be a signature of part1 and part2, not a "salt" (so forging part2 should be detected and code rejected).
Judging by the size of the qr code, part 3 is too short to be a signature. Probably the token is just registered in a centralized system that the qr code scanner checks with to see if the code is valid.
I love this kind of story:
Developer frustrated with missing functionality / UI problems / etc / and solves it. So awesome!
I heartily approve of this kind of guerrilla development.
The only downside is that they hold all the keys to the kingdom, so either they (or someone inside the org with political weight) will be pissed off straight out of the gate, or you’ll always be walking on eggshells trying your best to not piss them off.
I love reading about this sort of thing. My personal solution to the issues with the app and the wait for it to work (if it worked) was to memorize the pin. I believe I'm still quicker getting in than even the OPs solution, and with less hassle too since I don't need a device or any services.
Awesome post and fun read given I'm a PureGym member myself.
I 'got around' the PIN/QR Madness after 1 week by getting key fob. Now I don't have to ever open the app...
Attendance API looks to be worth playing with! Nice Bonus.
I question these imagined barriers:
> Should I package this up properly? Probably not: it's a proof of concept that solves my specific problem. Plus, PureGym would probably just hire me to shut it down, and I'm not ready for that level of corporate responsibility.
Don’t take a job if they offer one to you then?
> SaaS Dreams: Package this properly, get sued immediately, become a cautionary tale at product management conferences.
I genuinely don’t think that this is how it would go down, unless you’re marketing it as an official product. As a consumer I’m allowed to buy things that I find useful, and if this was packaged as a third-party convenience for personal use I don’t see the issue.
I suppose that if the company even noticed (very unlikely) they could get pissy but then I’d expect a c&d to arrive not some multi-million dollar lawsuit. Caving in at this point is an option.
Honestly I think getting past app review and into the App Store would be the hard part.
Great post.
What’s Next: Shame Notifications: "You were literally 100 meters from the gym and walked past it"
As much as I hate to admit it, that would probably work on me and I’d probably turn it on.
wouldn't work for me because i usually don't have my gym bag with me when i don't plan going. have a regular schedule and a program with a progression scheme.
lol counting the amount of “time saved” to justify the amount of time u spent building the thing is relatable but also slightly cancerous if it takes over your mindset in the building or brainstorming process. (which unless it’s a jokey bit that has no core of truth it might very well do.)
I used to do it too and in my mind I still do out of habit but I try not to let it influence projects anymore, what else will I do with my time + doing stuff like this keeps ur skills up to date.
I would say that for something like this, it’s still worth it even if you spent more time on it than you’ll ever save.
Not only have you learned new skills and got better at the craft, but you also removed a frequent source of frustration and get satisfaction every time your system works and you remember “heck yeah, I did this”. It increases your happiness and well-being overall into the future and keeps on giving.
This would be true iff you couldn’t just do it in ~5s using the PIN number
It’s still true. I said something like this, not only this specifically. But even for this exact case it would remain true for me. I have several situations where that has been the case, I’m speaking from experience. Maybe it wouldn’t be true for you—which is fair, everyone is different—but don’t ignore the gained experience which makes the next project even faster to finish.
That should be an Appclip by PureGym. Or of course, a single-time wallet export. Or a physical one euro dongle, so you can leave your phone at home.
Similar story with Better’s leisure centres. A frustrating app that only needs to display a barcode, and it doesn’t even rotate.
Great article. Me personally, I just learned my PIN...
Wallet is spelled incorrectly under subheading “The Swift backend nobody asked for”
Enjoyed reading it
[dead]
I can't believe this criminal that is writing this. Won't people think of the poor data brokers that are sucking down data from this forced app about who he is, what his device profile is, where is location is etc?
I have no idea if this was written by AI, and frankly I don't care. I really enjoyed reading and appreciated the humour.
I'm curious to see how easy this would be on Android and to have an auto updating QR code widget on my home screen.
this reads like chatgpt dribble
It doesn't to me. I can tell AI writing because it has irrelevant details that don't add facts or colour to the story, but this doesn't have any of that really. The tangents come across as human, not AI doing a bad impression of human.
Things like em-dashes are a really bad way to detect AI because they can be good grammar and improve text readability, same with curly quotes. I use them all the time in my writing, and I wouldn't be surprised if this iOS dev feels similarly as Apple platforms have emphasised this stuff for years.
Humorously, after re-learning about em-dashes due to their use by AI (an otherwise forgotten part of high-school English), I started using them more often in my writing. They really do look nicer!
As an academic I’ve always used “delve”, too, so at this point I guess my writing is going to be flagged as AI a lot…
I do note that some of the AI slop I’ve received from students include other fancy Unicode characters (superscript numerals, variant Greek letters, blackboard bold R, etc.) that are difficult to type, and which especially would not be used in e.g. code comments. em-dashes at least can be produced by certain word processors or text IMEs automatically, whereas many of these others require specifically looking for the character.
> some of the AI slop I’ve received from students include other fancy Unicode characters... that are difficult to type...
This is the bit I'd still caution against. Yes AI does this, but also writing in some software will correct 1/2 to ½, writing in tools that support MathJax will give you nice greek letters, etc. At university I spent days setting up nice LaTeX setups so that I could get good looking documents, including documents that didn't immediately appear to be LaTeX authored.
I think it's best to focus on the content, the writing quality, whether it targets the right audience, and whether it answers the question or just features a lot of words in the right ballpark. Focusing on the specific words and mechanical features of the text is going to catch out the wrong students, and it's going to be harder to justify from your perspective because you can't score a student badly for using an esoteric unicode character.
"And if you're from [COMPANY] reading this[EM DASH]let's talk" is a classic GPT-ism.
Clear examples of fluff. Not only do these fail to "add facts or colour to the story", they actually detract from it.I agree with you that em dashes in isolation are not indicative, but the prose here is dripping with GPT-speak.
OP here! Appreciate you actually pulling examples instead of just dropping "this is AI".
> There's a mixture of em dashes joining words and double hyphens spaced between words, suggesting the former were missed in a find and replace job.
The em dash conspiracy in the comments today is amazing -- I type double hyphens everywhere, and some apps (e.g a Telegram bot I made for drafts, or the macOS' built-in auto-correct) replace them with em dashes automatically–I never bother to edit those out (ok, now this one I put here on purpose).
> It's just a ZIP archive with delusions of grandeur > Clear examples of LLM fluff that don't "add facts or colour to the story".
Yeah, no that's fair enough, should've known better than to attempt humour on HN.
I've got to say though, pkpass is a ZIP archive, and no ZIP archive should require one to spend 3 hours to sign it.
I enjoyed the humour. (We’re heading towards a sad world if any attempt at levity in an article is interpreted as evidence of LLM usage by critical killjoys.)
Edit: total random thought: something in your prose shouted ‘Brit’ to me very quickly. Is it possible that part of this is simply cultural differences in humour and writing, and over-interpretation of subtle differences as evidence of LLM use?
Or do LLMs just write in a subtlety more British style because, well, Shakespeare and Dickens and Keats and Milton? Or does ChatGPT just secretly channel PG Wodehouse?
Authors use humour as a form of connection with their audience. It's a way of saying hey I'm a human and I have the same human experiences as you dear reader. Take the first paragraph for example:
> Wednesday, 11:15 AM. I'm at the PureGym entrance doing the universal gym app dance. Phone out, one bar of signal that immediately gives up because apparently the building is wrapped in aluminum foil
It says, "Hey I'm a human who goes to the gym and experiences the same frustrations as you do". Now imagine for a second this paragraph was written by AI. The AI has never been to the gym, the AI doesn't feel impatience trying to pass through the turnstile, the AI has never experienced the anxiety of a dodgy internet connection in a large commercial building. The purpose of any humour in this paragraph is completely undermined if you assume it was actually written by AI.
So please don't conflate being anti-LLM with being anti-humour. It's just the opposite. We want humour because we want to feel a connection with our fellow humans and for the same reason we should also want writing that comes from a human, not a machine.
> So please don't conflate being anti-LLM with being anti-humour. It's just the opposite.
I'm not.
I'm trying to analyse, or hypothesise, why this author's particular writing style seemed to trigger people's nascent LLM warning heuristics.
I considered the humour, because, well, other people brought it up. From the surrounding discussion, it seemed that the jocular writing style was one of the points generating suspicion.
Does sound like some people just don't get the humour which is fine, personally I liked it (but then I am british).
British people do tend to have a fairly humorous indirect way of communicating that can take some getting used to for people from other cultures, but that doesn't mean we're all secretly LLMs
FWIW, I found "It's just a ZIP archive with delusions of grandeur" pretty funny and for me it was an example of a human adding (relevant) colour to the content.
I swear some folks have just been normalised to the shit writing that AI does so much that they look for tricks like punctuation rather than just reading the damn text. Although maybe they're just blatting the whole thing into ChatGPT and asking it to summarise, or determine if it's AI generate.
FWIW I enjoyed the article and the humour, and I don't know where the AI conspiracy is coming from – I wish I could get the AI to write copy this good. So thanks, that was a fun read!
> I don't know where the AI conspiracy is coming from
It has become a trope to call AI writing to any text which includes an em-dash.
not sure why you're being downvoted here, you're completely right
The AI dashes mixed with the manual double hyphen AI dashes makes it likely
There’s no such thing as “AI dashes”. Em-dashes are valid typographical marks which have been employed for literal centuries. The only reason LLMs even used them is because humans do too, as they were trained on that input. It’s your prerogative to not care about proper punctuation, but that in no way indicates that those who do are machines.
I don't like the baseless LLM accusations, but the code comment
> // Device wants updates! Store that push token like it's bitcoin in 2010
...really had me raising my eyebrows. Along with the mixed em-dash and hyphens and the AI generated images on the page.
I would absolutely write a comment like that in code I was writing for a personal project. I’ve written way worse as well.
I was thinking the same thing - Went back and re-read it though, and I think it’s more that the author wrote a first draft and then had AI to help spice some stuff up. He either:
1. Used AI to help and doesn’t care if it sounds a little AI generated / actually likes it 2. Didn’t use AI but reads enough AI slop that his writing style is directly influenced by it (scary) 3. Used AI but doesn’t use AI enough to immediately recognize when language sounds like it was generated by ChatGPT and didn’t bother correcting (this is my guess)
There’s a few times I got tripped up because it went from pretty human writing to “holy shit shit that’s ChatGPT I’m going to stop reading,” yet the author would save it with human writing right after.
This is kind of a ramble, but it actually was one of those pieces of writing that I felt was genuine and improved by some of the ChatGPT language rather than just clickbait garbage - I could tell the author was just trying to make it worthwhile and interesting to read, and I honestly really enjoyed it.
Ah yes, because we all know that ChatGPT is capable of writing coherent texts with consistent humour and details on a technical topic.
There was a few spelling mistakes
The word you’re looking for is “drivel.”
100%
"The crown jewel? Your 8-digit gym door PIN is your API password and you most likely didn't set it yourself. The same PIN that hasn't changed since the iPhone 8 was cutting-edge technology."
Reads directly from ChatGPT
Wasn't expecting to see someone posting about my gym on HN this morning!