On a Sunday evening in early December, I got a Threads notification I almost scrolled past. Someone named Tobias Schrödel had seen my post about NeatPass and wanted to talk. I didn't recognize the name, so I Googled it. Bestselling author. Regular on German television explaining cybersecurity to general audiences. Co-host of one of Germany's longest-running IT security podcasts. That evening, an email arrived asking to beta-test NeatPass. I replied in 25 minutes with a TestFlight link and offered to come on the show. Three days later, I was recording a 45-minute episode. Four days after that, it was live. Eight days from "is this email real?" to hearing my own voice in a podcast feed.
25,000 Views and One Email
It started with a post. I'd been building NeatPass for about a month, had something that worked, and figured I should tell people about it. I'd never posted anything on Threads before. My reasoning was simple: before I go to X, let me just try Threads first. So I wrote a short post about what NeatPass does, hit publish, and moved on.
Two days later, the post had 25,000 views. Comments were pouring in. People were asking for the TestFlight link, sharing it with friends, tagging others. My first ever Threads post, and it outperformed anything I'd put on any platform before. The problem NeatPass solves, getting any ticket or pass into Apple Wallet without uploading it to a sketchy server, turns out a lot of people share that frustration.
The origin story is embarrassingly simple. I wanted to go to a party. Bought a ticket. Got a PDF. Wanted it in Apple Wallet. Found a few apps that claimed to do this, but every single one required uploading my ticket to some remote server, usually surrounded by ten ads and a suspiciously small upload button. I used one anyway, but the experience left me thinking: I'm literally learning this right now. I can do better.
One post, the right person sees it, and suddenly you're getting an email from a bestselling author asking about your app. The internet working as intended, for once.
Forty-Five Minutes, No Fangfragen
The podcast invitation came on December 11th. Tobias laid it out: 45 minutes total, roughly half about NeatPass, the rest on general IT topics. Their audience ranges from Cisco sales reps to tech-enthusiastic civilians. No deep-dive into source code, just explaining things in accessible terms.
The email said “Es wird keine Fangfragen geben” (there won't be any trick questions) and “you won't need to prepare.” I prepared anyway. Wouldn't you?
Recording day was December 12th, one day after the invitation. Just the two hosts and me, connected through a browser-based recording studio. Being 20 and sitting across from two veteran IT security professionals felt exactly as surreal as it sounds. The episode title says it all: “Technisch, pragmatisch und ausnahmsweise: jung”.
Technical, pragmatic, and for once: young.
Technisch, pragmatisch und ausnahmsweise: jung
There was also a running joke throughout the recording. The hosts had a December bet going: every time someone says “tatsächlich” (the German word for “actually”), that's five euros into a charity pot. Tobias apparently couldn't stop saying it. By the time they sat down to edit, he'd already used it as his seventh word. I was told upfront that if I slipped up, Tobias would cover my tab.
“I Don't Give a Sh*t About Your Data”
This line from a Threads post became the natural pivot point in the conversation. When you upload a concert ticket to some random website with ten ads plastered around a tiny upload button, where does that data actually go? Your name. Your address. Your billing details. The QR code that gets you through the door.
The hosts got it immediately. Rüdiger pointed out something I hadn't even considered: Taylor Swift tickets sell for hundreds of euros on the secondary market. If a scam site gets people to willingly upload those QR codes? Easy money. Not just the personal data, the ticket itself becomes valuable.
This is where I got to explain zero-knowledge PKPass signing, the core privacy feature of NeatPass. A PKPass file is just a ZIP archive containing JSON, images, and a manifest. The manifest lists every file in the archive alongside its SHA hash. Here's the key insight: you only need to sign the manifest, not the entire pass. The manifest contains nothing but cryptographic fingerprints.
The server sees a list of hashes, signs them with an Apple developer certificate, and throws the pass data away. Basic server logs (IP addresses, request metadata) are kept for 30 days for security, but nothing about your pass content is ever stored. There's no way to reconstruct what was in the pass. Apple's own documentation describes this approach. So why don't other apps do it?
Maybe they want the data. Maybe they don't know it's possible.
Man kann nur vermuten. Vielleicht wollen sie die Daten haben? Vielleicht wissen sie nicht, dass es anders geht?
Why Not Just Use Apple Intelligence?
This was Rüdiger's first question, and it's the one everyone asks. NeatPass uses Qwen (from Alibaba), running locally on your phone via Apple's MLX framework. Not Apple Intelligence. Not a cloud API. A dedicated model that ships with the app.
Two honest reasons for this choice. First, Apple Intelligence's performance wasn't good enough for this specific task. Second, and this one got a laugh from the hosts, my own iPhone doesn't support Apple Intelligence. I wanted to use the app myself. So I found a way around it.
The trade-off is a roughly 1GB download when you first open the app. That model IS the heart of NeatPass. Tobias raised a valid concern: if every app starts shipping its own model, phones get cluttered fast. He's right. But right now, on-device is the only way to keep the promise of never touching user data. Hopefully Apple Intelligence improves enough to make bundled models unnecessary in the future.
The hosts asked about ongoing learning. Does the model get better as you use it? Unfortunately, no. Training a model requires far more compute than running inference, and doing that on a phone isn't practical yet. But on-device models are inherently limited.
For what it manages on such a small phone, it's already impressive.
Für das, was es hinkriegt, auf so einem kleinen Handy, ist das erst mal schon mal krass.
Fanta 4 at the Kleine Olympiahalle
Every AI model hallucinates. The question is whether the hallucinations are dangerous or just funny. During beta testing, we collected some entertaining examples, and the podcast was the perfect place to share them.
Tobias had scanned a Fantastische Vier concert ticket. NeatPass extracted the venue as “Kleine Olympiahalle.” The actual venue is the Olympiahalle, a major arena in Munich. The Kleine Olympiahalle is a much smaller venue next door, and the word “Kleine” appears absolutely nowhere on the ticket. The model just... decided it should be there.
Then there was the concert ticket from Macedonia that NeatPass confidently turned into a Coldplay concert in London. Rüdiger's response was immediate:
That's actually an upgrade. From Fanta 4 to Coldplay.
Was ist eigentlich ein geiles Feature, wenn du so eine Karte für ein Fanta 4 Konzert einscannst und dann auf einmal eine Karte für Coldplay London hast, ja? Das ist ja schon ein Upgrade.
The important thing: these hallucinations are cosmetic, not functional. NeatPass extracts the barcode or QR code separately using computer vision, not the language model. The code that actually gets you through the door is always correct. If the model hallucinates “London” instead of “Skopje,” your ticket still works. You just get a funnier Wallet card. And if something does look off, NeatPass has a rich editing mode where you can tweak every field manually.
The conversation then pivoted to LLM limitations more broadly. The hosts had been trying to count how many times they said “tatsächlich” in their own transcript, using AI. ChatGPT said 15. When asked “are you sure?” it corrected to 30, which was right. Claude said 28. Also corrected after prompting. Two different models, two wrong first answers, both fixable with a nudge.
My take, which I shared on the podcast: it's not about how smart the model is. They're all reasonably smart. It's about what tools you give them. Code execution, for instance, would solve counting instantly. The model doesn't need to count tokens in its head if you let it write a Python script that does the counting. The tooling around the model matters more than the model itself.
“Blipp”
Tobias, being Tobias, decided the ultimate test wasn't scanning tickets in the app. It was showing a NeatPass-generated Wallet pass to a real conductor on a real train.
He had a Deutsche Bahn ticket, a PDF for a trip from Dresden to Munich. He ran it through NeatPass and got a Wallet pass that looked nothing like a normal DB ticket. Just “DB” in plain text at the top, route information, and a barcode. No fancy design, no official logo. The kind of thing a conductor has never seen in their life.
He held it up. The conductor scanned it.
Blipp. “Thanks, now just the BahnCard.”
Done. The conductor didn't blink. The barcode worked, and that was all that mattered. Rüdiger tested with MVV (Munich public transit) tickets too. Worked perfectly.
Beta feedback drove the roadmap. Users wanted customization: custom logos, cropping banner images, choosing between QR code or barcode display. Those all shipped. The other big ask was multi-ticket PDF support: one PDF with four separate tickets inside. NeatPass now handles all of them.
The business model came up too. $4.99, one-time purchase. No subscription. You get a few free passes to test whether you like it. After that, a single payment covers everything.
You get all updates until Apple doesn't exist anymore or I don't exist anymore.
Dann kriegst du alle Updates, bis Apple nicht mehr existiert oder ich nicht mehr existiere. Und gut ist.
What Talking About Your Work Teaches You
Speaking about NeatPass for 45 minutes forced a kind of clarity I hadn't expected. When you're building something alone, a lot of your decisions are gut feelings. You know why you chose a certain approach, but you've never had to articulate it out loud, in real time, to people who will push back. The podcast made me defend choices that I'd previously just... made.
The sherlocking question came up, of course. What if Apple just builds this into iOS? Honest answer: it's always a risk. But Apple also lives partly from the App Store ecosystem. Every paid app generates revenue for them too. If people are willing to pay $4.99 for this and Apple takes their 30%, that's not nothing. It might actually be in Apple's interest to let the market solve it.
The episode title, “Technisch, pragmatisch und ausnahmsweise: jung,” kept coming back to me afterward. Being 20 in a room of IT security veterans wasn't intimidating. It was welcoming. Rüdiger and Tobias treated the conversation like a real exchange, not a novelty act. They challenged technical claims, asked for specifics, and genuinely wanted to understand the decisions behind NeatPass.
The timeline still feels absurd. Sunday, December 8th: first email. Sunday evening: reply with TestFlight link. Wednesday, December 11th: podcast invitation. Thursday, December 12th: recording. Monday, December 16th: episode goes live. Eight days from cold email to published episode. Indie development momentum is real.
Rüdiger invited me back in six months “to share your experience as an app millionaire.” They were joking. Probably. Tobias compared NeatPass to Flappy Bird, which became a million-dollar app overnight. I'll take the optimism, even if it comes with a heavy dose of German humor.
You can listen to the full episode (in German) at igeh.podigee.io.