Passbook and NFC

Passbook is a new "app" from Apple, which comes with iOS6. Having just listened to the latest In Beta, and various other bits around the web, there appears to be a lot of confusion about what it is, and how it works.

I've had a bit of a play with Passbook and PassKit (the API's behind it), and a cursory glance at Google Wallet, and here's my thoughts and (hopefully) some clarification on what it is, and what it isn't.


First up, we are talking about two distinct things here.

NFC - Near Field Communications

Google Wallet is NFC based. This means there is a small radio in your phone, which is activated when it comes in contact with a reader (which provides the power via induction, same way an electric toothbrush recharges). This activates the chip, which it communicates with.

Depending on the chip, it may just allow itself to be read, or it may allow something to be written to it. This would be encrypted with the source's keys, so it can verify that whats on the card wasn't put there by someone else.

It may even run a small application to verify the reader. Each card has more the one slot, so you can store a travel card and a balance on the same card. There are lots of options depends on the requirements.

Other examples of this are the "prox-cards" that a lot of businesses use to let people into doors, which are usually read-only at the door, or the travel cards in places like London (the Oyster card), which are read-write at the barrier gate. "Tap to pay" credit cards use the same system (read only).

In this system, the card is somewhat intelligent, and getting something useful onto the card (eg, my Oyster info, or my Debit Card details) requires things to be signed before they are written, so that I can't just "borrow" someone's card and load it onto a blank card or my phone, or add more credit to my Oyster card. Often, there is code running on the card - usually some flavour of Java - so what they can do is quite advanced.

Having one of these on your phone means that you have a chip - similar to what is in your NFC-enabled debit card - which can be read like normal, and the phone also has a writer which can be accessed via the phone's OS. Usually, these are independent - if your phone is out of battery, it may still be possible to read the chip, as enough power is being provided to the chip from the card reader. But usually, you'll pick a default card (which is always written to the chip), and maybe select another card for one-off use. This is written to the card, read by the reader, then the default is put back on.

Bottom line: the card is the source of truth, or a verified copy of the truth in the case of a credit card. It holds my travel card (and balance), a credit card number, or a cryptographic key or program which lets me do something. It can't (easily) be cloned without the private keys.

Note that if you ignore the cryptography part, writing to a NFC chip is easy. But if it's going to be useful, the data you write has to be signed by someone, and that someone has to be willing to do it.

(for the pedantic, I suspect the technology in a building access card is not true NFC, but the concept holds)


Passbook - and the million other things with a barcode on them - works in a totally different way. The barcode has a unique number which means something to whoever is reading it, but it is not globally unique. It's passive, meaning it doesn't have any intelligence or smarts, and no power is involved.

This can include:

  • Normal barcodes, which are on everything. They can usually store 13-15 digits, and can be read with a single laser
  • 2D barcodes, like QR codes, PDF417, Aztec and various others. These are the same idea as a normal barcode, but can hold a lot more information - 1024 bytes or more. They require an optical reader, which takes a photo of the barcode and works out the data from there.
  • Magnetic strips, like the back of every credit card. This has more info than a barcode, but not a lot - maybe 64 characters, over two tracks.

Normal barcodes are trivial to copy - just use a photocopier. 2D barcodes are a little harder, but only because they are more detailed. Magstripes need a special writer, but these are easy to get.

The important part is: There is no logic on the card. An active reader (ANY active reader) reads the card, and it's the readers job to do something with it. This might be taking the number and looking you up in a customer database when you are at the gym, or passing your credit card number and name to a credit card processor.

This is where Passbook comes in.

So, what IS Passbook (and what isn't it)?

Passbook (the App / technology) and PassKit (the API) only work with barcodes, specifically 2D barcodes. The user acquires a Pass somehow (more on that in a moment), and they present it to the vender who does something with it.

Thats it. But it's what Passbook does on the phone thats interesting.

You can get passes a number of ways - and I think this is whats confusing people:

  • You can download one of the apps, and the app, using PassKit, can build and load a pass into your phone. The Airbnb, Eventbrite, Starbucks and American Airlines apps is a prime example of this. This is useful for airlines, as they can generate (securely) a boarding pass, and load that in, based on your authenticated flight details.
  • You can download one using Safari or from an email attachment. It's just a zip file, with specific content. Sites like enable that, and there is .NET code to generate them.
  • Most likely there are other ways. Eventbright even have a reader app for this. Full circle!

Inside the Pass - it's just a zip file - is various information, including:

  • Urls to connect back to the source service to request updates or a new pass, and where to register a pass and the push notifications keys.
  • Branding information.
  • One or more geo-locations, which is useful for the "you are near Bikram Yoga Chiswick" pop up thing, so you don't have to find your pass. It can also pop up based on date.
  • It's all cryptographically signed, so without the right keys (which the creator has) it will not work. I can't make a pass for Starbucks with someone else's details, even if I know their card number. It has to be signed by Starbucks.

Apple has a whole site up on the developer portal for this. There is code on GitHub, too, in various languages, and Xamarin have docs on how to do a lot of this in MonoTouch. There is a bit of fun around signing the passes, but there are lots of examples, and otherwise, it's quite easy.

Once a pass is scanned, and the receiver (Starbucks, your gym) processes your details, they can use the normal Apple Push Notifications to tell your pass to update itself. This might send down a new pass, or it might just update some info (eg how many visits you have left). It's up to the pass and the source server.

You can create various types of pass, but really, they are all have the same content - branding, a barcode - the difference is in the expected use:

  • Store cards. May have stored value (on the server, not in Passbook), or might just be to identify you.
  • Boarding passes and tickets. The person letting you in must scan and validate it.
  • Vouchers (the barcode would have to be verified, or it expires after a given date, but can be used up until then)

So, Passbook is a sort of hybrid of some of the intelligence of NFC - auto updating for example - with the easy-to-integrate dumbness of a simple barcode. It's not, in ANY WAY, designed to replace your credit card or travel card. It's designed for the situation where the receiver validates the information, not where the card is the "one true source" of information.

Here's some uses, around London, that I think Passbook would work great for

  • A loyalty card for a cafe. They could use an iPhone to scan the pass, and push to a shared cloud server, which pushes out the number of coffee's you have had. Hooking it up to a system like Vend would be great, as it could interact with the POS.
  • Replace my gym card; My work ID card (which has no intelligence); A video store card (they still exist?); My Bikram Yoga Chiswick card (which is just a barcode). Basically, anything with a barcode. Only downside is that most places that use these have the old single-laser scanners, which do NOT work on a smartphone screen.
  • Tickets to get into things: movies; museums; concerts; airplanes.
  • Discount coupons (one use or time based): £5 off when you spend £15 at a restaurant.

It has lots of uses, and I'm sure that smart people will come up with more, but it requires a bit of back-end integration. NFC is usually already integrated into things which require a good amount of security, and that also makes NFC difficult, as the provider - Visa, a bank, Transport for London - needs to get onboard to allow their card info to be loaded onto a phone's chip.

To be honest, I'm not sure NFC is going to take off any time soon. It's overly complex and requires forward thinking from parties - mostly banks - who are usually technologically backward and conservative to the point of paranoia.

Passbook might take off, especially if someone comes up with a nice backend for small businesses to easily do loyalty stuff (yes, I've been planning on doing this, feel free to steal the idea tho), and slightly larger businesses to just replace old barcode scanners with more expensive 2D scanners, and the leverage their existing systems.

Is it all a huge game changer? No, I don't think it is. But like the AppleTV, it is interesting and fun to play with.

Nic Wise

Nic Wise

Auckland, NZ