Security and Privacy of QR Code Applications: A Comprehensive Study, General Guidelines and Solutions

• Main Authors: Heider A. M. Wahsheh, Flaminia L. Luccio
• Format: Article
• Language: English
• Published: MDPI AG 2020-04-01
• Series: Information
• Subjects: QR codes; barcode scanners; Android security; QR code security; QR code privacy
• Online Access: https://www.mdpi.com/2078-2489/11/4/217

The widespread use of smartphones is boosting the market take-up of dedicated applications and among them, barcode scanning applications. Several barcodes scanners are available but show security and privacy weaknesses. In this paper, we provide a comprehensive security and privacy analysis of 100 barcode scanner applications. According to our analysis, there are some apps that provide security services including checking URLs and adopting cryptographic solutions, and other apps that guarantee user privacy by supporting least privilege permission lists. However, there are also apps that deceive the users by providing security and privacy protections that are weaker than what is claimed. We analyzed 100 barcode scanner applications and we categorized them based on the real security features they provide, or on their popularity. From the analysis, we extracted a set of recommendations that developers should follow in order to build usable, secure and privacy-friendly barcode scanning applications. Based on them, we also implemented BarSec Droid, a proof of concept Android application for barcode scanning. We then conducted a user experience test on our app and we compared it with DroidLa, the most popular/secure QR code reader app. The results show that our app has nice features, such as ease of use, provides security trust, is effective and efficient.