Receiving Hundreds of Postcards from the Internet

#programming #reversing

In this post, I blog about postcard_creator and postcards. An Android and REST endpoint reversing project I created to send free postcards in Switzerland. I built postcard-love, a website to allow strangers to send me postcards for free. Over the past time, I have received hundreds of cards. Some more unusual than others.

postcards

Some of the postcards I received from the interwebs.

Table Of Contents

Background

The Swiss Postal Service offers a free service to send postcards within Switzerland in their Android/iOS apps. Swiss residents with a SwissPass are eligible to register at https://service.post.ch to design and send postcards online. Their service includes a free postcard every 24 hours. However, it is hidden in their Android/iOS apps and only accessible there.

This project aims to reverse these apps and build an API wrapper that will automate and expose this functionality.

The Project

The project consists of three components. A REST API wrapper, a command-line application, and a demo application to receive cards from strangers online.

REST API Wrapper

The API wrapper is written in Python and implements authentication modes with username/password (now discontinued) and SwissID SAML/OAuth authentication. As far as I can tell, no countermeasures are implemented to hinder the endpoint reversing. However, there is an interesting endpoint in the authentication flow that requests a device fingerprint, possibly to implement some sort of anomaliy detection. For now, a static fingerprint does just fine and the authentication succeeds. Time will tell if we have to get more clever here in the future…

Besides that, OAuth follows an Authorization Code Flow with a Proof Key for Code exchange (PKCE).

The user-facing API is fairly simple and resembles the REST endpoints:

from postcard_creator.postcard_creator import PostcardCreator, Postcard, Token, Recipient, Sender

token = Token()
token.fetch_token(username, password)

recipient = Recipient(prename, lastname, street, place, zip_code)
sender = Sender(prename, lastname, street, place, zip_code)

picture = open('./my-photo.jpg', 'rb')
card = Postcard(message, recipient, sender, picture)

w = PostcardCreator(token)
w.send_free_card(postcard=card)

You find the API wrapper on GitHub.

Command-line Application

Postcards is a command-line application built around the REST API. It comes with different modes including:

$ postcards send --config config.json \
    --picture https://images.pexels.com/photos/365434/pexels-photo-365434.jpeg \
    --message "Happy coding!"

You find the command-line application on GitHub.

Receiving Cards from Strangers

Having the API wrapper implemented, we can now take on to build Postcard-love, a small web application to upload an image and write some text. Cards uploaded on the site are then enqueued and sent to my home address using the aforementioned projects.

postcards

Webapp to send free cards. See more design assets and the source code here.

Now, all that was left is to wait and see if someone bothered to write a card…

Shout-Outs

In the next paragraphs, I will highlight some of the cards received. Thanks to everyone who made an effort and sent me a card!

I want to shout out to truck driver Ahramov. Whether you are real or not, thanks for the message! I hope the gud truck still drives :).

zis is se truck in se uzbekiztan. itz not mi truck but gud truck frm the sovjet, gud times. veri gud regards
-- truck drivr ahramov

postcards

truck drivr ahramov’s truck.

Also a shout-out to this gentleman, who took corona measures very cautionary :). Thanks for all the love, stay healthy!

Love your stuff. 
Stay corona-free! (That's me in the pic FYI lol)

postcards

Stay healthy and strong.

Cheers for this beautiful picture of a lake in Belgium.

hello dear,
this morning i had uploaded your add free tool for spotify on android phone, very good idea you were working on it!
many thanks for. This picture i shooted two days ago, with the beautiful end of day light, at the place lac de l'eau d'heure' in south of Belgium.
take care of you.

postcards

lac de l’eau d’heure, Belgium

And last but not least, a warm thanks for this picture. It’s a nice wall :).

This is our cat-postcard wall, all sent using your python wrapper.
Thanks a lot :)
-- Someone from the cloud

postcards

Cat-postcard wall from someone from the cloud.

Conclusion

From cute cat pictures, landscape and architecture, obscure images and trash, selfies, and even a request for a date, I received many postcards.

A smile is happiness you’ll find right under your nose.
– Tom Wilson

The reverse engineering work of this project has been much fun, almost as much fun as receiving the cards. The projects are activiely maintained and (usually) quickly fixed if something breaks. Thanks everyone for playing along and making me, the postman, and my roommates smile.

Got curious? Send me a card here.

Thanks for reading.
– bean

Found a typo or a mistake? Edit this Page on Github and submit a Pull Request. Thank you.