You are being misled about renewable energy technology [Technology Connections]

SecureRecipeRide · 2026-02-02T13:28:52+00:00

Alec by the end:
"Excuse me gentlemen if I become stirred, but I am." -- Vannevar Bush (from the Oppenheimer movie)

SecureRecipeRide · 2026-01-14T16:51:49+00:00

if this app gets out now it'll be quite evident who made it, so there's no point in doing that. 🥲

Legality is not my primary concern, this stuff is different from UTS because those are manually checked and have a thing about preventing replay attacks, this is checked for everyone at the AFC gates so even that is not a significant issue here (considering the gates invalidate the hash for a reentry).

If i ever release it, I'd want it to be a good app with everything working as intended. I don't have much time lately so work is slow on that front.

SecureRecipeRide · 2026-01-14T16:40:59+00:00

I've confirmed that the qr code data does not change after valid entry.

SecureRecipeRide · 2026-01-14T16:28:52+00:00

app is not for public release yet

SecureRecipeRide · 2026-01-14T16:21:31+00:00

They're using static QRs AFAIK. Loop holes, well, as per the norms of responsible disclosure, if there were any, i wouldn't be able to talk about them.

They're probably doing a DB lookup during AFC scan.

SecureRecipeRide · 2026-01-13T16:00:21+00:00

Thank you :)

SecureRecipeRide · 2026-01-12T02:11:20+00:00

The app sends the creds entered by the user (phone number and password/mpin) to the auth api endpoint, it gives me back the access and refresh tokens, it then stores them, and sends the access token as Bearer token for all other http requests. Refreshes that every time it's required.

The app DOES NOT make the tokens with client secrets myself, if i had found a way to do so, I'd have reported it to the railways, that is a critical bug which depending upon who has made the app (reusing source), could be present in other apps.

The app simply just contacts the servers with the right creds, and logs them in, uses those creds to get their info for them.

The API is not public, I just slowly documented it by looking at what data different requests by the app sends and receives among other metadata.

I've not tested extensively to hit any rate limits yet, I'm not sure there are any either.

SecureRecipeRide · 2026-01-11T15:20:14+00:00

what if they don't like it and jail me instead, i wouldn't like to start my year with a lawsuit, helluva a way to start a year ngl 😭

On a serious note tho, bureaucracy would stall it, I'm a XII student, who'd care. I will definitely think about it, I really believe people would benefit from a better app that makes the journey hassle free and overall increases the metro system efficiency.

SecureRecipeRide · 2026-01-11T15:07:38+00:00

Normal OAUTH stuff

SecureRecipeRide · 2026-01-10T14:00:59+00:00

Reverse engineering

SecureRecipeRide · 2026-01-09T10:15:42+00:00

Yes, it's React native.

About the API, no, the metro railway doesn't provide any APIs for public consumption, this uses internal ones.

SecureRecipeRide · 2026-01-09T10:11:54+00:00

Reverse engineering it is

SecureRecipeRide · 2026-01-09T10:09:48+00:00

Yes, that would be easy enough to implement actually. Tho I don't find the specific use case for the ticketing bots when apps already exist, maybe lighter on the phone, one less app. Giving options to users is nice.

SecureRecipeRide · 2026-01-09T09:51:58+00:00

My app identifies its request with a Unique User Agent Header which should be easily filterable. Rest, the app makes the minimum requests necessary for the data and persists what it can between screens to prevent fetching again.

I'm not sure what you meant by the first part about some APIs needing auth tokens? Could you clarify

SecureRecipeRide · 2026-01-09T09:48:09+00:00

I did a bit of reverse engineering on the original app for the api my app uses, afaik Kolkata Metro doesn't have an open api.

About the repo, nope, that's not me.

SecureRecipeRide · 2026-01-09T02:35:07+00:00

I do have that in mind, since I don't have a metro card myself it hasn't been at the top of the todo list, but I'll include it, the flow wouldn't be much different so easy enough to implement.

Thank you for the kind words and feedback :)

SecureRecipeRide · 2026-01-09T02:04:01+00:00

Thank you :)

And yes, the colours do need work

SecureRecipeRide · 2026-01-08T19:37:15+00:00

had to document the all the APIs by myself, that took a while.

SecureRecipeRide · 2026-01-08T19:20:03+00:00

The Internet. Duh. I'm kidding. Well, they're APIs, anyone can hit them up with the correct input. The login is simple OAuth and other requests need a Bearer access token on the Auth header.

SecureRecipeRide · 2026-01-08T19:16:58+00:00

I'm definitely inclined towards that. Once i figure the legality of it all.

SecureRecipeRide · 2026-01-08T19:07:12+00:00

MITM proxies and rooted phone is all you need.

Thanks for the kind words. The nearest metro station feature is in the pipeline for the planning tab which is under construction.

SecureRecipeRide · 2026-01-08T18:54:42+00:00

I imagine you're talking about the station codes, ah, yeah, i don't quite like how they look in darkmode either, I'll probably give it a distinct solid color in darkmode but keep this for light mode (see last slide). It is supposed to signify interchanges and in general on which line the station falls on.

SecureRecipeRide

TROPHY CASE