Secure QR Code System
Raed M. Bani-Hani Yarub A. Wahsheh
Dept. of Network Engineering and Dept. of Network Engineering and
Security Security
Jordan University of Science and Jordan University of Science and
Technology Technology
Irbid, Jordan Irbid, Jordan
rbanihani@just.edu.jo y_wahsha@yahoo.com
Abstract — Quick Response (QR) codes are two dimensional
barcodes that can be used to efficiently store small amount of
data. They are increasingly used in all life fields, especially with
the wide spread of smart phones which are used as QR code
scanners. While QR codes have many advantages that make
them very popular, there are several security issues and risks
that are associated with them. Running malicious code, stealing
users’ sensitive information and violating their privacy and
identity theft are some typical security risks that a user might be
subject to in the background while he/she is just reading the QR
code in the foreground. In this paper, a security system for QR
codes that guarantees both users and generators security
concerns is implemented. The system is backward compatible
with current standard used for encoding QR codes. The system is
implemented and tested using an Android-based smartphone
application. It was found that the system introduces a little
overhead in terms of the delay required for integrity verification
and content validation
Keywords—QR Code; Smart Phones Security; Security
algorithms, privacy, generator authentication, content validation,
data integrity, threat isolation;
I. INTRODUCTION
QR code is an image of a matrix barcode that stores data in
two dimensions. Data is presented as square dots with specific
pattern in both horizontal and vertical dimensions. Specific
imaging devices (QR scanners) can read this image and
retrieve the stored data based on the pattern of square dots. QR
code was invented in 1994 by Denso Wave for vehicles
tracking during manufacture [1]. There are several standards
for data encoding in QR codes, the last standard is ISO/IEC
18004:2006 Information technology -- Automatic identification
and data capture techniques -- QR Code 2005 bar code
symbology specification [2]. Smart phone devices can be used
as QR code scanners. The embedded camera in the smart
phone captures an image of the QR code, then an application
analyzes the pattern of square dots to retrieve the encoded data
and display it in a useful form.
QR codes can be used in items’ identifications, objects’
tracking, general marketing and advertisements. One common
use of QR codes is web address encoding where a Uniform
Resource Locator (URL) is encoded in QR code to provide
more information about products. This is important to
overcome the limited size of data encoded in QR code. Web
978-1-4799-7212-8/14/$31.00 ©2014 IEEE 1
Mohammad B. Al-Sarhan
Dept. of Network Engineering and
Security
Jordan University of Science and
Technology
Irbid, Jordan
mhmd.sarhan92@gmail.com
pages can contain any needed information and reader
applications can open the smart phone web browser and go the
specified web address. Contact information such as phone
numbers, contact names and emails can also be stored in QR
code labels.
There are many specific applications that use QR codes.
Authors in [6] provide a novel educational system for holy
Quran using QR codes. Another is one time password
authentication protocol using QR code which is presented in
[7]. Furthermore, object identification for blind and visually
impaired people is proposed in [8]. Finally, a novel security
system for fish tracking using QR codes and asymmetric key
cryptography is demonstrated in [8].
Although QR codes have many advantages, there are
several security risks associated with them. Intruders can use
QR codes to launch several attacks targeting QR scanning
devices (smart phones) and violating users’ privacy. Attackers
can reach sensitive information such as: login passwords of
emails and social networks, contacts information, photos,
videos and banking accounts. Attackers may take full control
of mobile devices, they can enable microphone, camera, GPS
and even use smart phone devices in future attacks as a part of
botnet or DDOS attacks[1, 4]. Example of possible attacks that
can launched using QR codes includes phishing attacks in
which users are redirected into fake web sites, fraud attacks in
which attackers can create fake posters and advertise for unreal
commodity or special offers, malware propagation,, command
injection, and SQL injection attacks [4, 9, 10]. Other possible
scenarios of attacks can be performed using malicious QR
codes. There is increasingly important need for security and
protection techniques to overcome these security threats.
The main problem of QR codes is that they are not human
readable, they can only be read using specific machines
(scanning devices). In September 2011 the first malicious
usage of QR codes was detected by Kaspersky Lab. The attack
was performed using malicious link that was encoded in QR
code so that users were directed to a web page with malicious
file downloaded without their knowledge [3].
Since QR codes can be used by intruders to violate users
privacy and launch several attacks targeting smart phone
devices, there is an urgent need for common security rules and
algorithms that prevent such attacks, maximize smart phones
security, and preserve users’ privacy.
 The rest of this paper is organized as follows: Section two specific for Data Matrix barcodes and it does not support QR
presents a brief overview of the related work. Section three codes. TABLE I shows a comparison of different QR-code
explores our proposed QR code structure. Section four presents related security applications and software.
the proposed security algorithms, and section five explains
implementation and evaluation of the proposed system. Finally III. QR CODE DATA AND SYSTEM STRUCTURE
section six presents the conclusion and future work. This section explains the proposed structure to encode data
in QR codes. In order to manage the encoded data and manage
II. RELATED WORK processing operations, we need to define specific data encoding
This section presents an overview of related papers and structure. Additional control information will be added to the
applications associated with QR code security. real encoded data, according to specific rules. TABLE II shows
the proposed data encoding types for QR code. Note that it is
QR code applications and security issues are discussed in not mandatory to have all these types in the same QR code.
the Narayanan’s paper [3]. The paper discusses the usage of
QR codes, how they can be used in malicious way and gives This structure is compatible with the current standard the
general guidelines for users to avoid being attacked using QR QR code is encoded with. In addition, it adds control
codes. Kieseberg’s paper[4] explores QR code security threats information to help and satisfy the security requirements for
and how it can be used to attack humans and automated QR codes.
processes. The paper presents analysis of several attack
scenarios and consequences. Also it presents several scenarios By analyzing QR code security threats and possible attacks,
of attacking QR code modules, data and error correction in the we can determine that the QR code security system must
QR code image. contain countermeasures to authenticate generators, guarantee
data integrity, verify URLs, and isolate malicious contents.
Different attacking schemes were discussed and
implemented to investigate how QR codes can be used in TABLE I. COMPARISON OF DIFFERENT QR-CODE RELATED SECURITY
APPLICATIONS.
malicious way in [11]. One scheme was used to attack the QR
code modules aiming to retrieve an altered URL. The Application
implementation shows that this attack is not feasible. Other Norton Snap
Features QR & Barcode Data Matrix
schemes attack the binary representation of the encoded string. QR code
reader (Secure) Security Suite
Furthermore, an online survey to identify the user's awareness reader
of QR code security risks was conducted. Survey results QR Code, One
showed that people have low level of awareness of danger Data Matrix
Code Type QR Code Dimensional
Barcode
security threats associated with QR codes [11]. Barcode

In [12], authors investigate the perceived QR code security Online Contents

Yes No No
verification
risk and how to mitigate it. An online survey was developed to
test users’ awareness of QR code security risks and to Isolate Malicious
No Yes No
determine how users will responds to warnings of malicious Contents
QR codes. Survey results showed that users who have more Generator
No No Yes
experience in computer and technology were more likely to Authentication
ignore warning messages and the majority of users have low No No Yes
Integrity Guarantee
level of awareness of QR code risks.
Norton Snap QR code reader [13] is Android security
application developed by Symantec Norton. It is a QR code TABLE II. PROPOSED ENCODING DATA TYPES FOR QR CODE.
scanner application that aims to protect users from QR code
online threats. The application checks the safety of URLs that Type Description Keyword
are encoded in QR codes, then it gives recommendations to
Unique value that identifies the
users whether this website is safe or not. If the website is not Generator ID
generator of this QR code.
ID:
safe the application will block access to it. Offline data, where the needed
QR & Barcode reader [14] is another application that aims Offline Contents information is stored directly in QR OFFD:
code.
to read barcodes in a secure way. It does not require any
personal information details. The reader has no permissions to Online data, where the stored
information in QR code is a web
reach personal information such as contact information and Online Contents
address or reference to online
URL:
history bookmarks. recourses.
Data Matrix Security Suite [15] is a commercial Software Very important type for integrity and
generator authentication. Contains a
Development Kit (SDK) that is used to encode/decode
Digital Signature hash code of the QR code contents, SIGN:
information in Data Matrix barcodes using a secure way. It signed with the generator's private
aims to counterfeiting or tampering with Data Matrix barcodes. key.
Security services include: digital signatures for symbol Generator's public key signed with the
authentication and Data Matrix encryption. Also users and Certificate CERT:
trusted third party private key
products IDs are used in this method. However, this method is

978-1-4799-7212-8/14/$31.00 ©2014 IEEE 2

 To apply these countermeasures, our system can be code, the generator application will compute a hash value for
represented by three main blocks: all encoded data and sign it with the generator’s private key.
1. QR code generator application: application that is QR code reader application is a smart phone application
responsible to encode data in QR code using the that reads QR code contents, verifies QR code generator
specified proposed structure. signature, verifies online contents and applies QR code
contents isolation algorithm. Also it is responsible for
2. QR code reader application: smart phone application communicating with the TTP server. This communication is
that is responsible for scanning QR code image and important to retrieve QR code generator’s public keys. Fig.1
retrieving the stored data whether encoded in the shows the block diagram of the proposed security system.
standard structure or in our proposed structure. IV. QR CODE SECURITY ALGORITHMS
3. Public Key Infrastructure (PKI) or Trusted Third In this section we present the proposed security algorithms
Party (TTP) server: this server is responsible to for QR codes. The proposed solution should build specific
authentication system for QR code generators, guarantee data
create, manage, store and distribute keys.
integrity, verify online contents and isolate QR code malicious
contents.
We have two assumptions:
A. QR Code Generator Authentication and Data Integrity
1. The TTP public key is hard-coded in the QR reader
application (in the smart phone). In this part we propose a method to authenticate QR code
2. The generator's private key is delivered to the generator and guarantee data integrity. This part is essential to
generator application through a secure channel (can prevent fraud, command and SQL injection attacks. The
be hard-coded in the generator application). proposed method uses Digital Signature Algorithm (DSA)
asymmetric key cryptography with SHA-1 hash function to
achieve the needed goals.
The Following notation is used:
The proposed algorithm is shown in Fig.2, and works as
 DS: digital signature, created using DSA asymmetric follows:
key cryptography and SHA-1 hashing algorithm.
 GPU: QR code generator public key. 1. The QR Reader application searches the QR code
 GPR: QR code generator private key. contents for the QR code generator's ID (through ID
 TTP: Trusted Third Party. keyword).
a. If there is a generator ID go to step 2.
b. Else go to step 9.
The TTP organization will create a public/private key pair
for each registered QR code generator. The generator's private 2. The QR Reader application searches the QR code
key can be hard coded in the QR code generator application. contents for the QR code certificate (through CERT
Also the TTP server is responsible for distributing generators keyword).
public keys. There are two ways to get generator's public key: a. If there is a certificate from go to step 6.
b. Else go to step 3.
1. Get the public key from CERT field which is encoded
in the QR code by the generator. CERT field will
contain the following fields: generator ID, generator
public key and DS from TTP . all fields are hashed
using SHA-1 hash function and signed using DSA
algorithm with the TTP private key to insure
authenticity and integrity of the data.
2. Request any generator's public key from TTP server.
When any client (in this case the client is a QR code
reader) asks for specific generator public key, the TTP
server will answer with a message that contains the
following fields: generator ID, generator public key
and TTP server time stamp. All these fields are hashed
using SHA-1 hash function and signed using DSA
algorithm with the TTP private key (Note that the TTP
public key is hard coded in each QR code reader
device). These fields are important to authenticate TTP
to clients, prevent fabrication and replay attacks.
The QR generator application will encode both offline and
online contents in a QR code label. For each generated QR Fig. 1. The block diagram of the proposed security system.

978-1-4799-7212-8/14/$31.00 ©2014 IEEE 3


Fig. 2. Generator Authentication and integrity guarantees operations.
3. Reader application sends a request to the TTP asking
for generator's public key. The request contains the
generator's ID and it is sent as clear text.
4. If the generator ID is registered in the TTP server, a
message is sent to the client (reader application) with
the following fields:
a. Generator ID (ID).
b. Generator public key (GPU).
c. Current time stamp.
d. Digital signature (DS): all message contents
are hashed using SHA-1 and signed with the
TTP private key using DSA algorithm.
5. If the generator ID is not registered in the TTP server,
a message is sent to the client (reader application)
with the following fields:
a. Generator ID.
b. "ID IS NOT VALID" message.
c. Current time stamp.
d. Digital signature: all message contents are
hashed using SHA-1 and signed with the
TTP private key using DSA algorithm.
978-1-4799-7212-8/14/$31.00 ©2014 IEEE
6. The application verifies the certificate (or the
received message from TTP) digital signature using
the TTP public key and the freshness of the received
message using time stamp value (to prevent replay
attacks).
7. If the received message is verified, then the
generator's public key is used to verify the QR code
digital signature using DSA.
a. Else go to step 9.
8. If the QR code Digital signature is verified then:
a. The generator is authenticated and data
integrity is guaranteed. Generate safe QR
code message
b. Else go to step 9.
9. Generate warning message of malicious QR code
because generator is not authenticated and integrity is
not guaranteed. The user is notified of possible threat,
but finally he has the choice whether to use QR code
contents or not.
B. QR Code Online Contents verification
We need to check the safety of online contents (URL links);
this operation includes testing the value of trust for the link,
malicious links and spam checking, URL redirection and
retrieving the full expanded URL links.
The full expanded URL links are important to avoid
Phishing attacks, where malicious websites may look identical
to legitimate ones. We can differentiate between legitimate and
malicious websites using URLs.
To check URLs, our proposed method uses a verification
server. The algorithm steps are shown in Fig. 3:
1. QR code scanner sends the QR contents (embodied
URL) to the verification server and request URL
checking.
2. Verification server operations may include visiting
these URLs and monitor malicious Javascript codes,
verification server will have stronger antivirus,
Intrusion Detection Systems, and firewalls software
programs than the ones found on the mobile phones.,
3. Verification server sends response back to the
scanner, with a recommendation whether this URL is
secure to visit or not, with more information such as
the full expanded URL links (note that it is common
for QR Code to encode short forms of URLs).
For secure communication between the reader application
and the verification serve, Secure Hypertext Transfer Protocol
(HTTPS) on top of the Secure Socket Layer (SSL) protocol is
used. Thus, the verification process can be used as a secure
web service
4

Fig. 3. Online content verification in server-based security algorithm.
C. QR Code Malicious Contents Isolation
QR code content might need to be isolated to prevent any
executable codes or commands from reaching smart phone
resources. Many attacks violate privacy, try to reach personal
information and gain control of smart phone devices to use
them in future attacks (like Botnets and DDOS) through
attacking reader application.
Our proposed algorithm depends on the sand box and least
privilege concepts to isolate QR code contents. Simply the
algorithm is: Prevent any access (even from QR code reader
application itself) to the smart phone device resources.
Although the algorithm is simple, it has important benefits.
The algorithm is important to secure the QR code reader
application because:
 There are several QR code reader implementations,
attackers may use any implementation vulnerability to
exploit reader device.
 The reader application permissions can be used in a
malicious way to launch several attacks like buffer
overflow, command and SQL injection.
By performing all the proposed countermeasures, we will
have three layers of security to prevent attacks associated with
QR codes. Namely: generator’s authentication and integrity,
online content verification, and malicious content isolation.
V. IMPLEMENTATION AND EVALUATION
Three applications were built to implement the proposed
security algorithms; The TTP server, QR code generator and
QR code reader. These three applications are integrated in one
system to achieve the needed security protection and overcome
QR code security problems.
QR code reader application was implemented as an
Android mobile application. It is responsible to read QR code
contents, verify QR code generator signature, verify online
contents and apply contents isolation algorithm. Our
implementation uses Norton Safe Web service [5] to verify
978-1-4799-7212-8/14/$31.00 ©2014 IEEE
URLs (via secure channel using HTTPS). Also the reader
application is responsible of retrieving the full expanded URL,
this will be done using HTTP connection in order to utilize the
location header field, which is returned in responses from an
HTTP server. This field contains the server URL[16].
In order to measure the performance of the introduced
security system, we have to determine the average time
overhead that our security system cause. In general, two
operations are performed by the system that might cause time
overhead: verify signature and verify online contents.
20 different QR codes, with both online and offline
contents, were generated to measure the performance. For each
of them, we calculated the time delay .by recording two time
stamps in milliseconds for each of the two operations. The first
time stamp records the process start time and the second time
stamp records the process end time. Time delay is calculated
using Eqn 1 where TS is the measured time stamp:
TimeDelay = EndTS  StartTS Eqn (1)
For 20 QR codes, time delay for signature verification and
online contents verification processes were collected. Fig.4
shows the total time delay (summation of both signature
verification and online contents verification) for the 20 QR
code labels. Based on the experiments, the average total time
delay was 4639.5 milliseconds. Figure 5 shows the time delay
for online content verification process only (the average value
was 4528.5 milliseconds). Figure 6 shows the time delay for
signature verification process (the average value was 112.35
milliseconds). Average time delay was feasible in general.
Total Delay
6000
milliseconds
Delay in
4000
2000
0
19 17 15 13 11 9 7 5 3 1
QR Code Number
Fig. 4. Total time delay in the experiment.
Online verification delay
6000
milliseconds
Time delay in
4000
2000
0
19 17 15 13 11 9 7 5 3 1
QR number
Fig. 5. Online contents verification delay
5
 VII. REFERENCES
Signature verification delay [1] Wikipedia, Retrieved May, 22, 2014, from
http://en.wikipedia.org/wiki/QR_code
200 [2] ISO/IEC 18004:2006 Information technology -- Automatic identification

milliseconds
Time delay in
150 and data capture techniques
[3] A.S. Narayanan. “QR Codes and security solutions,” International
100 Journal of Computer Science and Telecommunications [Volume 3, Issue
50 7, July 2012]
0 [4] P. Kieseberg, M. Leithner, M. Mulazzani, L. Munroe, S. Schrittwieser,
19 17 15 13 11 9 7 5 3 1 M. Sinha, E. Weippl. “QR Code security,” 2010.
[5] Norton Safe Web , Retrieved May, 21, 2014, from
QR Number https://safeweb.norton.com/.
[6] H. A. Wahsheh, Y. A. Wahsheh, R. A. Wahsheh, “; Novel educational
system for holy quran using QR codes, ” Proceedings of Al-Zaytona
Fig. 6. Signature verification delay University International Engineering Conference on Sustainability in
Design an Innovation ' 2014 May 13-15; Amman – Jordan.
Comparing with other barcode security applications, [7] K. Liao, W.Lee. “A Novel user authentication scheme based on QR-
Secure QR code system has additional features. Referring to Code,” Journal of Networks, Vol. 5, No. 8, August 2010.
TABLE I we can add additional row for our QR code security [8] H. S. Al-Khalifa, “Utilizing QR Code and mobile phones for blinds and
visually impaired people,” K. Miesenberger et al. (Eds.): ICCHP 2008,
system as shown in the right part of Table III. In fact, the LNCS 5105, pp. 1065–1069, 2008.
proposed system, in contrast to Norton Snap QR code reader, [9] GoSafeOnline“ QR Code – falling prey to malicious website,” Monthly
can provide malicious content isolation. In addition, it can Newsletter – Issue No. 2013-06.
provide online content verification, generator authentication, [10] Csoonline, Retrieved May, 21, 2014, from
and integrity guarantee which are not provided by QR & http://www.csoonline.com/article/2133890/mobile-security/the-dangers-
of-qr-codes-for-security.html
Barcode reader application.
[11] I. Kapsalis, “Security of QR codes,” Norwegian University of Science
and Technology, Master in Security and Mobile Computing 2013.
[12] L. R. Yin, Z. Zhang, N. Baldwin, “Perceived Security Risks of Using
TABLE III. SECURE QR CODE APPLICATION FEATURES.
Quick Response (QR) Codes in Mobile Computing with Smart Phones,”
2014.
Application
Features [13] Norton Snap QR code reader, Retrieved May, 21, 2014, from
(Secure QR Code)
https://play.google.com/store/apps/details?id=com.symantec.norton.snap
Code Type QR Code [14] QR & barcode reader (Secure) Retrieved May, 21, 2014, from
Online Contents verification Yes https://play.google.com/store/apps/details?id=com.dodo.scannersecure
Isolate Malicious Contents Yes [15] Api.qrserver Retrieved May, 21, 2014, from https://api.qrserver.com.
Generator Authentication Yes [16] Wikipedia, Retrieved May, 21, 2014, from
http://en.wikipedia.org/wiki/HTTP_location
Integrity Guarantee Yes
[17] S Kuwabara, S. Mikami, Y. Takahashi, M. Yoshikawa, H. Narumi, K.
Koganezaki, T. Wakabayashi, A. N. Seino “Development of the
traceability system which secures the safety of fishery products using the
QR code and a digital signature,” IEEE 2004.
VI. CONCLUSION AND FUTURE WORK
In this paper, we have designed a novel security system for
QR codes. Since QR code security is essential and QR codes
are increasingly used in all life fields, this system can protect
users’ privacy and identity in addition to their smart phone
devices. Our security system can detect attacks like: QR code
fabrication, Phishing and fraud attacks. Experiments show that
the average time delay introduced as a result of applying the
security system is acceptable.
The proposed secure QR code application provides more
security level as well as maintains backward compatibility with
QR codes that do not incorporate security features. Even if the
QR code does not contain digital signature, the application can
still verify online contents and malicious contents. However, it
will warn the user about that before giving the users the choice
to continue or not.
We plan to extend this work in the future for other barcode
types, enhance the implementation and add more security
features.

978-1-4799-7212-8/14/$31.00 ©2014 IEEE 6