Receiving Hundreds of Postcards from the Internet
In this post, I blog about postcard_creator and postcards. An Android and REST endpoint reversing project I created to send free postcards in Switzerland. I built postcard-love, a website to allow strangers to send me postcards for free. Over the past time, I have received hundreds of cards. Some more unusual than others.
Table Of Contents
Background
The Swiss Postal Service offers a free service to send postcards within Switzerland in their Android/iOS apps. Swiss residents with a SwissPass are eligible to register at https://service.post.ch to design and send postcards online. Their service includes a free postcard every 24 hours. However, it is hidden in their Android/iOS apps and only accessible there.
This project aims to reverse these apps and build an API wrapper that will automate and expose this functionality.
The Project
The project consists of three components. A REST API wrapper, a command-line application, and a demo application to receive cards from strangers online.
REST API Wrapper
The API wrapper is written in Python and implements authentication modes with username/password (now discontinued) and SwissID SAML/OAuth authentication. As far as I can tell, no countermeasures are implemented to hinder the endpoint reversing. However, there is an interesting endpoint in the authentication flow that requests a device fingerprint, possibly to implement some sort of anomaliy detection. For now, a static fingerprint does just fine and the authentication succeeds. Time will tell if we have to get more clever here in the future…
Besides that, OAuth follows an Authorization Code Flow with a Proof Key for Code exchange (PKCE).
The user-facing API is fairly simple and resembles the REST endpoints:
from postcard_creator.postcard_creator import PostcardCreator, Postcard, Token, Recipient, Sender
token = Token()
token.fetch_token(username, password)
recipient = Recipient(prename, lastname, street, place, zip_code)
sender = Sender(prename, lastname, street, place, zip_code)
picture = open('./my-photo.jpg', 'rb')
card = Postcard(message, recipient, sender, picture)
w = PostcardCreator(token)
w.send_free_card(postcard=card)
You find the API wrapper on GitHub.
Command-line Application
Postcards is a command-line application built around the REST API. It comes with different modes including:
- Bulk sending cards from a folder,
- Slicing a picture into tiles of many cards,
- Sending stock images,
- Sending quotes from Chuck Norris (be aware, his first program was kill -9!),
- Sending random pictures from the internet (without filtering, may not be SFW).
$ postcards send --config config.json \
--picture https://images.pexels.com/photos/365434/pexels-photo-365434.jpeg \
--message "Happy coding!"
You find the command-line application on GitHub.
Receiving Cards from Strangers
Having the API wrapper implemented, we can now take on to build Postcard-love, a small web application to upload an image and write some text. Cards uploaded on the site are then enqueued and sent to my home address using the aforementioned projects.
Now, all that was left is to wait and see if someone bothered to write a card…
Shout-Outs
In the next paragraphs, I will highlight some of the cards received. Thanks to everyone who made an effort and sent me a card!
I want to shout out to truck driver Ahramov. Whether you are real or not, thanks for the message! I hope the gud truck still drives :).
zis is se truck in se uzbekiztan. itz not mi truck but gud truck frm the sovjet, gud times. veri gud regards
-- truck drivr ahramov
Also a shout-out to this gentleman, who took corona measures very cautionary :). Thanks for all the love, stay healthy!
Love your stuff.
Stay corona-free! (That's me in the pic FYI lol)
Cheers for this beautiful picture of a lake in Belgium.
hello dear,
this morning i had uploaded your add free tool for spotify on android phone, very good idea you were working on it!
many thanks for. This picture i shooted two days ago, with the beautiful end of day light, at the place lac de l'eau d'heure' in south of Belgium.
take care of you.
And last but not least, a warm thanks for this picture. It’s a nice wall :).
This is our cat-postcard wall, all sent using your python wrapper.
Thanks a lot :)
-- Someone from the cloud
Conclusion
From cute cat pictures, landscape and architecture, obscure images and trash, selfies, and even a request for a date, I received many postcards.
A smile is happiness you’ll find right under your nose.
– Tom Wilson
The reverse engineering work of this project has been much fun, almost as much fun as receiving the cards. The projects are activiely maintained and (usually) quickly fixed if something breaks. Thanks everyone for playing along and making me, the postman, and my roommates smile.
Got curious? Send me a card here.
Thanks for reading.
– bean
Found a typo or a mistake? Edit this Page on Github and submit a Pull Request. Thank you.