[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Next Article in Journal
TEEDA: An Interactive Platform for Matching Data Providers and Users in the Data Marketplace
Next Article in Special Issue
Risk Measurement Method for Privilege Escalation Attacks on Android Apps Based on Process Algebra
Previous Article in Journal
Adoption of Sustainable Technology in the Malaysian SMEs Sector: Does the Role of Government Matter?
You seem to have javascript disabled. Please note that many of the page functionalities won't work as expected without javascript enabled.
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Security and Privacy of QR Code Applications: A Comprehensive Study, General Guidelines and Solutions

by
Heider A. M. Wahsheh
1,2 and
Flaminia L. Luccio
1,*
1
DAIS, Università Ca’ Foscari Venezia, 30172 Venezia, Italy
2
College of Computer Sciences and Information Technology, King Faisal University, Al-Hassa 31982, Saudi Arabia
*
Author to whom correspondence should be addressed.
Information 2020, 11(4), 217; https://doi.org/10.3390/info11040217
Submission received: 2 March 2020 / Revised: 6 April 2020 / Accepted: 14 April 2020 / Published: 16 April 2020
(This article belongs to the Special Issue Cyberspace Security, Privacy & Forensics)

Abstract

:
The widespread use of smartphones is boosting the market take-up of dedicated applications and among them, barcode scanning applications. Several barcodes scanners are available but show security and privacy weaknesses. In this paper, we provide a comprehensive security and privacy analysis of 100 barcode scanner applications. According to our analysis, there are some apps that provide security services including checking URLs and adopting cryptographic solutions, and other apps that guarantee user privacy by supporting least privilege permission lists. However, there are also apps that deceive the users by providing security and privacy protections that are weaker than what is claimed. We analyzed 100 barcode scanner applications and we categorized them based on the real security features they provide, or on their popularity. From the analysis, we extracted a set of recommendations that developers should follow in order to build usable, secure and privacy-friendly barcode scanning applications. Based on them, we also implemented BarSec Droid, a proof of concept Android application for barcode scanning. We then conducted a user experience test on our app and we compared it with DroidLa, the most popular/secure QR code reader app. The results show that our app has nice features, such as ease of use, provides security trust, is effective and efficient.

1. Introduction

Barcodes are a universal technology that provides visual data representation using series of lines, squares or dots, organized in a standard way. The barcode image contains information that identifies and describes the object it is associated to. In order to extract the encoded data, the user needs a barcode scanner, i.e., an optical machine that has imaging and processing capabilities (a camera and a processor). The barcode scanners can be specific devices or smartphone reader applications, and they require a Line-of-Sight to capture the barcode image and retrieve the stored data [1].
Two dimensional (2D) barcodes are machine readable images that enhance many features of the traditional one dimensional (1D) barcodes, such as more data capacity and robustness, and so are suitable for industrial and economic purposes. They can be used in a simple and effective way to achieve communication between physical objects (such as paper-based surfaces), and the digital ones (e.g., smartphones) [2].
Quick Response (QR) codes are particular 2D barcodes that have spread dramatically over the last few years, and they are considered free, simple and effective tools capable to store up to 2953 bytes that can be retrieved quickly [3]. Recently, new types of QR codes have been proposed that have a beautified appearance and a higher capacity [4]. QR codes allow users to extract data in three main modes: online, offline or in a combination of modes. For example, users can use QR codes to connect to websites, to send emails or read SMS, to save contact numbers, find map coordinates, listen to audio, or watch videos, etc. [5].
Recent studies show that barcodes can be maliciously used to run different attacks such as: phishing, malware propagation, cross-site scripting (XSS), SQL/command injection and reader applications attacks (see, e.g., [6]). Several QR code reader applications claim to provide security and privacy characteristics. In our opinion, it is important to categorize, evaluate and discuss the feature of these applications. In this study, we thus analyse 100 barcode scanner applications from a security and privacy perspective. According to our analysis, there are some apps that provide security services including URL checking and cryptographic solutions. Other apps guarantee user privacy by adopting least privilege permission lists. However, there are also apps that deceive the users by providing security and privacy protections which are weaker than what is claimed. We also analyze the most popular downloaded apps, since being popular does not imply being secure. Based on that, we classify the apps into five groups: URL Security, Crypto-based security, Popular, Save privacy, Weak applications. We recommend a set of tips for developers to build usable, secure and privacy-friendly applications and we used them to implement BarSec Droid, a proof of concept Android application for barcode scanning. Finally, we have conducted different experiments to evaluate user experience on our app compared to DroidLa, the most popular/secure QR code reader [7]. The results show that applying the design tips will increase the user security trust, improve the user attitude towards applying security solutions, and increase the awareness of possible attacks. This paper is an extended version of [8].

1.1. Contributions

Our contributions can be summarized as follows: (i) we present the most comprehensive analysis of 100 barcode scanner applications from security and privacy perspectives; (ii) we categorize barcode scanner applications into five groups based on the security features they provide or on their popularity; (iii) we propose usability, security and privacy recommendations for the development of barcode scanners; (iv) we present BarSec Droid, a proof of concept QR code Android application that we have developed; (v) we present the results of a user experience test on BarSec Droid and on DroidLa the most popular/secure QR code reader, and we discuss the comparison results.

1.2. Related Work

In the literature, there are some works that analyze QR code scanner applications, however, they take into consideration only a very limited number of them. To the best of our knowledge, our work contains the most comprehensive analysis of security and usability features of QR code readers (we have studied 100 applications).
In [9], the authors investigate the security features of 31 Android QR code scanner apps, w.r.t. phishing and malware attacks. Twenty-three out of 31 apps ask user permission before visiting the encoded QR code URLs. Only two QR code scanners, Norton Snap and QR Pal, provide some security warnings but have very poor detection capabilities of link-based phishing and malware attacks. Therefore, the authors propose SafeQR app which employs two security APIs, Google safe browsing and Phishtank [10,11] to enhance the detection rate of malicious URLs. However, w.r.t. our work, the study of [9] does not discuss the usability and privacy properties, and does not provide solutions for other attacks such as, e.g., SQL and command injections.
The study of [12] focuses on QR code security, usability and privacy issues. The authors initially study the 12 most frequently used QR code reader applications for Android, iOSand Windows Phone, w.r.t. security protection and privacy violations. The results show the inefficiency of protection methods against malicious QR codes and the lack of privacy protection (sensitive data were sent to third parties). In the second part of the work, the authors assess user knowledge about QR code security by using an online questionnaire. The results show differences between users of different European countries, and also underline the need of security improvements in the QR code processing phase. Finally, the authors propose a set of design recommendations to improve usability and security of QR code scanners. The authors present a prototype that checks the online content and adopts digital signatures, and the results show the efficiency of the protection recommendations. W.r.t. to our work, the study of [12] analyzes only a small number of applications and does not consider the expected size or delay overhead of applying digital signature mechanisms.
The study of [13] focuses on 14 Android QR code scanners, explores their security proprieties, and shows limited capabilities and weaknesses of several apps from a protection point of view. In particular, some apps directly visit the URL encoded in the barcorde, neither validating it against threat databases, nor asking user’s permission, thus putting users at a risk of being redirected to malicious websites. Only two apps, KasperSky [14] and G Data QR code [15] perform validation of the full URL, and only 8 out of 14 analyzed apps provide security features against phishing and malware attacks. Finally, the author gives some tips on how to enhance the protection of barcode readers, but, w.r.t. our work, does not analyze them from a usability perspective.

1.3. Paper Structure

The rest of this paper is organized as follows: Section 2 introduces our research methodology, while Section 3 presents QR code reader applications and categorize them based according to their properties. In Section 4, we evaluate all tested barcode reader applications in terms of granted permissions. In Section 5, we first illustrate our recommendations for the development of secure, usable and privacy-friendly QR code readers, and we then present BarSec Droid, our implemented reader application. Section 6 shows a user experience test on our app, and finally, in Section 7 we present the conclusion and future work.

2. Research Methodology

In this section, we present the research methodology that we used, and we emphasize the differences with our previous work [8]. Our methodology includes the following six main steps:
  • Application selection: We have searched inside Google Play Store for Android secure and privacy-friendly barcode reader applications and we have selected 100 of them. This extends the work of [8] were we only considered 28 apps.
  • Information gathering: We have extracted all the features and permissions from the app descriptions.
  • Application tests: We have installed the apps, evaluated them and compared their capabilities w.r.t. the app descriptions.
  • Application Categorization: According to the app features, we have divided them into five different groups, refining the categorization of [8];
  • Recommendation proposal: We have listed guidance tips for developers to build secure and privacy-friendly barcode reader apps;
  • User security and usability awareness evaluation: We have conducted a user survey to evaluate the user experience. This survey extends the one of [8], as it was refined and the number of proposed questions was increased.

3. QR Code Readers

Exploring Google Play Store [16] for secure QR code readers lead to a selection of more than 100 apps. All these apps support the standard scanning service but some of them also claim to provide security features. According to [12] most barcode scanners apps are not able to protect users against the selection of malicious QR codes, or against privacy violations. In this study, we aim at studying barcode reader applications from security, privacy and usability perspectives. Our preliminary results in [8] showed that several apps, use weak security mechanisms, e.g., weak algorithms or short key lengths. Moreover, several apps do not follow standard structures or optimal encoding schemes. Our proposed app, in Section 5 overcomes all these limitations. Table 1 lists the following features of the selected apps:
  • App developer: the identity of developer or company name.
  • Version: analyzed app version.
  • Installs: number of app installations from Google Play.
  • Category: App’s category (w.r.t. later classification).
  • Rate: a 5-point scale users evaluation of an app from Google Play. N/A means not available.
  • 1D/2D: ability to read 1D and 2D barcodes. QR stays for QR codes.
  • Format: the reader displays the barcode type it has identified, e.g., QR code, etc.

3.1. URL Security Applications

Embedding barcodes with malicious links is one of the most common attacks that targets a user device. In this section, we presents QR code readers that provide security services on links, by checking the encoded online content. Multiple technologies can be used for detecting malicious URLs, e.g., Artificial Intelligence techniques, black and white lists, etc., however, in this context, we do not focus on the adopted technology but on the features provided by the readers.
G Data QR code reader [15] is a free Android application that checks the online content of a QR code, detects suspicious links, shows the complete URL and extends short ones, and blocks users from visiting unsafe URLs in their browser [13].
KasperSky QR Scanner [14] is a free app that checks QR code URLs against malicious Web pages. The app description does not provide any detail regarding the used protection methods, and the main limitation of the app is that it allows to directly visits links, detected as benign, without asking for user confirmation [13].
The Norton Snap QR code scanner [17] is another application that validates QR code URLs against Web attacks. This app alerts users for benign/malicious links, blocks malicious URLs, and retrieves the full encoded URL.
Other URL security applications such as: Trend Micro [18], FANSec [19], Dennings [21], Avira [24], iTechSo [28], KidControl [22], iTechSol [28,49] and X & C Hi-Tech Inc. [27] provide URL checking services. However, they do not retrieve the full URLs. If the encoded URLs are shortened or redirected, the users will not be able to check the final URL destination.
QR Code Scanner & Barcode Reader for CM Browser [25] is a lightweight QR code scanner based on the CM browser: it is the browser itself that provides security services, checks URLs, and blocks advertisements.
TeaCapps barcode scanner [32] checks URLs by employing Chrome Custom Tabs, which uses Google Safe Browsing technology [10].
G-Scan and G-tos scan barcode scanners [43,44] check URLs, alert users in case of malicious links and gets the full expanded URLs.
Table 2 presents a comparison of barcode scanners that provide security by checking URLs embedded in QR codes.
The main limitation of these apps is that URL-checking scanners works against online attacks, by detecting malicious/suspected Web pages, while other offline attacks such as SQL and command injections cannot be prevented. Moreover, some of these applications do not provide information about their URLs checking techniques, i.e., how they classify URLs into benign or malicious.

3.2. Crypto-Based Security Applications

Cryptographic mechanisms can be used to encrypt, sign and control the access to QR code content. Adopting data encryption provides confidentiality and access control for the encoded contents, so that only the authorized users (who have the decryption key) can retrieve the encoded data. Moreover, digital signatures can achieve authentication, integrity and non-repudiation. Recent studies also investigate the use of Visual Secret Sharing schemes for QR Code, to provide additional security mechanisms, e.g., to online transaction [114]. Choosing the suitable algorithm, key length and structure are discussed in multiple studies [6,115], but the key factor on barcode usability is the size overhead [116]. However, there are few applications that offer generating and reading cryptographic QR codes.
Madiff Net reader application [20] is free and available in several languages, such as: English, Vietnamese and Chinese. Madiff Net supports scanning and generating password-protected QR codes, in which the content is encrypted using a shared key between the generator and the barcode reader. The developer does not mention the used algorithm but keys are 6 bytes of length, and the ciphertext is a base 64 string. Since the algorithm is unknown, we cannot evaluate the strength of this app. In addition, Madiff Net uses a base 64 encoding scheme for bytes inside QR codes which causes size overhead.
QR Droid Private [7] is a free, well-designed interface, which provides scanning and QR code generation services. This app supports URL shortening, QR code sharing and content encryption. QR Droid Private adopts a weak encryption algorithm, i.e., Data Encryption Standard (DES) with breakable key size of 56 bits. It uses a keyword structure, in which the ciphertext is encoded in base 64. There are two versions, private and full. The private version needs few permissions to generate QR codes, while the full version needs more permissions.
Crypto Message [23] is a security application that supports an encryption service for encoding text messages inside QR codes. This application offers the creation of QR codes in the free version, while decoding requires the paid version. It adopts Advanced Encryption Standard (AES) with four modes that include: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Counter (CTR), and Output Feedback (OFB) modes. It uses key size of 128, 192 and 256 bits, and encodes ciphertexts as hexadecimal or base 64 strings. Finally, Crypto Message is not able to decode barcodes that are created by other applications.
The algorithm, the key size and the structure of EC QR [33,41,78,79,81,83] are not available and cannot be evaluated. However, the developers claim they support message encryption and other security features.
Observe that, all the above mentioned applications have some limitations: (1) They assume no standard method of encoding cryptographic data in QR codes, i.e., each application adopts its own structure. Thus, in order to decode a crypto-barcode, the user will need to use the same generating application, while, on the other hand, the study of [116] suggests the use of the standard JavaScript Object Notation (JSON) as a general structure to be used with crypto-QR codes. (2) Some of these applications use weak encryption algorithms such as: DES and AES-ECB. (3) These applications employ base 64 and hexadecimal strings to represent ciphertexts, which lead to size overhead.
The password-protected QR codes achieve confidentiality and access control, so that only authorized users who have the key (password) can decrypt and access contents. However, encrypting the contents is not the optimal mechanism to protect users who scan the QR code, since even encrypted data may include malicious URLs or offline attacks. Digital Signature can be useful to protect users, as it employs public-key cryptography, to validate authentication, integrity and non-repudiation of QR code contents [116]. Table 3 presents a summary of crypto-based QR code scanners and it includes the app developer, encryption, digital signature (DS), algorithm (Alg), key length (KL), encoding scheme (EncS), and structure (Str).
Note that, these applications offer a single access control mechanism, the encoded data may either be public (plain text) or private (ciphertext), thus they do not support QR codes that have an encryped part and a plaintext at the same time. Moreover, none of the applications support digital signature.

3.3. Popular Applications

In this section, we explore the most popular QR code scanner applications that have been downloaded by more than 1 million users (see Figure 1). Note that, popular apps may be included in the other groups, for example Norton Snap [17] and KasperSky [14] are included in the URL security group, as well as in the Popular applications group (see Table 1).
The ZXing library [117] (“zebra crossing”) is a Java source image processing library that is compatible with several 1D and 2D barcodes and used with various popular applications such as: ZXing Barcode Scanner [36], Barcode Scanner Pro (10M downloads) [37], and Barcode Scanner [39] (5M downloads).
ZXing Barcode Scanner [36] is one of the most popular downloaded applications, with more than 100 million users. It employs [117], shows the barcode format and offers extra information about embedded links such as: title and redirections.
Other applications that have nearly the same functionalities, and are able to read 1D and 2D barcodes are QR & Barcode Scanner by [35,38,45] that recorded more than 50M downloads. Moreover, free QR Scanners Bar Code Scanner & QR Code Reader [40,53] recorded 10M downloads. Private version of [7,31,80], recorded more than 5 M downloads.
Note that, being popular is not enough to be usable and secure. So we have investigated the popular applications also from security perspective. [14,17,49] belong to URL and popular groups, while [34,38,106] belong to popular and Save-Privacy groups. [7] belongs to Crypto and Popular, and [32] belongs to three groups, i.e., URL, Popular and Save-Privacy. Moreover, we have also evaluated all tested apps from privacy perspectives (see Table 4 and Table 5).

3.4. Save-Privacy Applications

Using a barcode reader application involves asking for user permissions, a list of allowed services and resources that the app can use, e.g., contacts, media files, camera or microphone. Granting these permissions allows the app to facilitate the barcode usage, e.g., saving a phone number directly without copy and paste. However, giving permissions can be extremely dangerous, especially from a privacy perspective, as an attacker may access private data and may run an information leakage attack. The problem of correctly configuring systems so to protect the user privacy is a very challenging task in general and has been widely studied also in other contexts, e.g., to correctly configure TLS/SSL connections in mobile applications [118], or to configure products and systems in the software industry [119]. In this section, we will illustrate the available apps that adopt balanced permissions that meet the privacy requirements. In the context of QR codes, we need standard architectural choices for developers to build privacy-friendly applications, with minimal permissions include accessing the camera (to scan the barcode), and the network (if there is a need to check URLs).
Table 4 shows the Save-Privacy apps with the least-privilege permissions. Permissions are:
  • Camera (Cam): takes pictures and videos;
  • Wi-Fi info (wi-fi): views Wi-Fi connections;
  • Network (Net): gives full network access, and views network connections.
TeaCapps Scanner [28,32] are examples of apps that support checking QR code online contents, alongside with less permissions (camera and Internet). QR Scanner (Privacy Friendly) [26], Tokoware [85], Krow QR Code Reader [87], and Habib Khlifi QR Code Reader [108] are all QR code readers that only ask camera permission. If users are interested in privacy, these are the suitable application. They are safe and fully compatible with Android devices.
Tokoware [30], Lightning QR code Scanner [34,52,64,69,75,83,91,92,104,112] require access to the camera and to the network. Thus, all these applications are suitable for users who aim at protecting their privacy.
Some other apps in Table 4 such as: [38,58,71,73,77,99,106] also ask for Wifi permission that should not violate the user privacy.

3.5. Weak Applications

In this section, we present apps that try to deceive the users by claiming strong security-privacy features, without providing any real protection. These apps employ misleading terms such as data encryption and decryption, while they do not provide real cryptographic mechanisms (False encryption) and refer to these terms to indicate data encoding and decoding in QR codes such as: [102,103,109]. Here it is important to mention that data encoding means representing data in QR code modules, where any QR code scanner can retrieve (decode) the contents directly without any specific key (see part (a) in Figure 2). On the other hand, data encryption means transforming data (plaintext) into an encrypted message (ciphertext), that only authorized users who have secret key can decrypt (see part (b) in Figure 2).
Moreover, some apps’ descriptions indicate security and privacy features, while testing them shows that they do not really provide the claimed features such as [51,63,80,101,105,107,110,111]. Other apps claim they are privacy-friendly but ask for potential permissions that can be used in information leakage attacks, such as: [29,31,35,42,46,47,48,50,54,55,56,57,59,60,61,62,65,66,67,68,70,74,76,84,88,89,90,93,94,95,96,97,98,100,113]. More details will be given in the next section.

4. Permissions and Privacy Evaluation

Reviews on barcode applications generally show dissatisfaction when applications require unneeded permissions. As an example, we cite a user review of [35] application. A user wrote: “Why do you now need access to my location, photos, media and files? It worked perfectly in the past without these permissions and I see no reason to have them”. This comment shows how limiting permissions can be an important feature.
For this reason, we have decided to evaluate all the tested barcode reader applications in terms of granted permissions. Table 5 shows the requested permissions for all our 100 tested applications excluding the apps that we already analyzed in Table 4. These permissions include getting access to:
  • Device & app history (DevHis): read sensitive log data;
  • Contacts (Cont): read contacts;
  • Location (Loc): approximate location (network-based) and precise location (GPS and network-based);
  • Phone (Phn): directly call phone numbers;
  • Photos/media/files (Files): read, modify or delete the contents of USB storage;
  • Storage (Stg): read, modify or delete the content of USB storage;
  • Device ID & call info (DevInf): read phone status and identity;

5. Secure and Usable Barcode Reader Applications

In this section we first discuss possible design recommendation to develop secure and usable barcode reader applications, and we then present BarSec Droid, a new application that follows this guidelines and has good user feedbacks.

5.1. Design Recommendation

Based on our assessment for the existing 100 barcode scanners, on limits and drawbacks previously mentioned, and based on suggestions proposed in other works [116,120] we recommend the following guidelines to develop secure, usable, and privacy-friendly barcode reader applications:
  • Barcode type: Support several barcode types, that can be used in various contexts;
  • Barcode format: Display the barcode format, in order to avoid wrong barcode type decoding;
  • URL checking: Check URLs inside barcodes to detect malicious ones;
  • Warnings: Use security warnings such as browser warnings against suspicious URLs;
  • Digital signature: Apply digital signature services, to authenticate the barcode generator, guarantee data integrity and non-repudiation;
  • Encrypted content: Adopt encrypted contents, to achieve confidentiality and access control;
  • Limit permissions: Request least-privilege permissions, and prevent accessing private files to guarantee user privacy. Limit permissions to camera access (to scan the barcode image), and to Internet (to check URLs);
  • Simple interface: Provide default basic functionalities with simple interface, so that non-expert users can easily use the app;
  • Prevent code execution: Prevent the execution of any encoded codes or commands in user devices;
  • Supporting material: Provide manuals and resources for users to learn how to use secure reader applications.

5.2. The BarSec Droid Application

According to the recommendations presented in Section 5.1, we have developed two applications: the BarSec desktop application and the BarSec Droid Android application (Available at: https://apkpure.com/it/barsec-droid/barcode_security.heider.bsr). These applications adopt symmetric and asymmetric cryptographic mechanisms to generate and read secure and usable barcodes, and make use of the ZXing library [117]. Figure 3 presents the BarSec Droid Android application.
The barcode generator is available only in the BarSec desktop application, and generates barcodes using the JSON structure, as proposed in [116]. It offers various security features that include: barcodes authentication, data integrity, access control, and confidentiality. It provides usability warning messages based on the usability guide presented in [121] and can be used for both generating and reading QR codes.
Both the BarSec Droid Android application and the BarSec desktop application support different digital signature algorithms i.e., RSA and Elliptic Curve Digital Signature Algorithm (ECDSA) with several key lengths, and use SHA-256 as hash function (see Figure 3). They support hash-based message authentication code (HMAC) with different key lengths. In addition, they use Advanced Encryption Standard (AES) with four modes; Cipher Block Chaining (CBC), Output Feedback (OFB), Cipher Feedback (CFB) and Galois/Counter Mode (GCM). These mechanisms have been studied in detail to meet the usability issues presented in [121]. We have also implemented Access Control Lists (ACLs) that allow the generator to have multiple layers of data; i.e., multiple users who have controlled access to data.
Example 1.
As an example of use assume we have a QR code with the ACL that include these tags: public, student and teacher, where:
  • Public tag: contains plain text data;
  • Student tag: contains a ciphertext that is encrypted with the student key.
  • Teacher tag: contains a ciphertext that is encrypted with the teacher key.
Each tag has authorized users who can access its contents, e.g., a student can read the public tag, and the student tag but not the teacher tag (since students do not have the teacher key).
Table 6 summarizes the features of the BarSec Droid application. It uses the JSON structure, and it supports barcodes generated by the BarSec Droid Desktop application, and also barcodes that contain Access Control Lists (ACLs). It can read standard QR codes that do not include cryptographic data and that do not follow specific structures. It checks full URLs contained inside barcodes, and checks their online content using Norton Safe Web service [122].

6. Experimental Results

We have conducted a user survey to get the user reactions about the BarSec Droid usage, and the level of trust for the provided security information. In order to compare the results with other security apps, we have chosen the most popular and secure QR code reader, i.e., QR Droid Private [7] that belongs to the popular and Crypto-based protection group. We followed the recommended sample size in [123] and conducted a survey with the help of 30 users who were undergraduate students from different colleges. They were asked to scan ten QR codes for each reader. Then, the users completed a survey that was built following the lines of three very popular usability surveys [124,125,126] and a usability survey on secure mobile applications [127]. Our survey includes the following ten points:
  • Overall, I am satisfied with the ease of completing the tasks.
  • Overall, I am satisfied with the amount of time it took to complete the tasks.
  • Overall, I am satisfied with the support information (warnings and details messages).
  • It is flexible?
  • I would recommend it to a friend.
  • I can effectively complete the tasks using this application.
  • I am able to efficiently complete the tasks using this application.
  • How much do you trust the security information in the application?
  • Overall, I would like to use the application.
  • Is the application visually appealing?
Each point had a five-point scale answer, described as: (1: very unsatisfied to 5: very satisfied). We have followed the answers evaluation method used on [127] by using paired t-test, which is a standard statistical method that compares the mean values of two groups. Paired t-test was used because the survey asked the user to evaluate 2 apps at a time.
Table 7 shows the Means (the value before ±), Mean Standard Error ((MSE), the value after ±), and p-value results from participants’ feedback for BarSec Droid and QR Droid Private. Note that, in the t-test, when the p-value is less than 0.05, there is a statistically significant difference between two groups [128], and in this case the mean value is marked in bold in the table.
According to Table 7, BarSec Droid recorded better answers for easiness of use, security trust, being likely to use, recommended app, effectively and efficiently. On the other hand, QR Droid Private recorded a higher level of support information satisfaction and visually appealing, which reflects the application excellent design and options such as supporting multiple (29) languages. The results of the time of tasks and the flexibility recorded converged values, which reflects that BarSec Droid and QR Droid Private have acceptable time delay and flexible capabilities according to the user feedback.

7. Conclusions

This paper presents the most comprehensive evaluation for 100 barcode reader applications from a point of view of security and privacy issues. We have categorized these apps according to their features into five groups: URL security, Crypto-based security, Popular, Weak and, Save-privacy applications. Based on our analysis, we have proposed recommendations towards developing usable, secure and privacy-friendly applications and implemented BarSec Droid, a proof of concept Android app that follows our recommendations. Moreover, we have conducted user experiments to assess user experience on our app, compared to the most popular/secure QR code reader app. The results show that applying the design recommendations will increase the user security trust, ease of use alongside with the efficacy and effectiveness of scanning barcodes. As a future work, we plan to extend our analysis to cover more applications i.e., iOS and Windows phone apps. In addition, we plan to evaluate the available security mechanisms of QR code online contents such as: Google safe browsing and Norton Safe Web.

Author Contributions

Conceptualization and Methodology, H.A.M.W. and F.L.L.; Software, Data curation and Writing—original draft preparation, H.A.M.W.; Writing—review and editing, Supervision and Funding acquisition, F.L.L. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Denso Wave. QRcode.com DENSO WAVE. 2017. Available online: http://www.qrcode.com/en (accessed on 16 April 2020).
  2. Zara Rizwan. Do People Use QR Codes in 2017? The Answer Will Definitely Surprise You. 2017. Available online: https://scanova.io/blog/blog/2017/08/04/do-people-use-qr-codes/ (accessed on 16 April 2020).
  3. Dabrowski, A.; Krombholz, K.; Ullrich, J.; Weippl, E. QR Inception: Barcode-in-Barcode Attacks. In Proceedings of the 4th ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’14), Scottsdale, AZ, USA, 7 November 2014; pp. 3–10. [Google Scholar]
  4. Cai, H.L.; Yan, B.; Chen, N.; Pan, J.S.; Yang, H.M. Beautified QR code with high storage capacity using sequential module modulation. Multimed. Tools Appl. 2019, 78, 22575–22599. [Google Scholar] [CrossRef]
  5. Akta, C. The Evolution and Emergence of QR Codes, 1st ed.; Cambridge Scholars Publishing: Cambridge, UK, 2017. [Google Scholar]
  6. Focardi, R.; Luccio, F.; Wahsheh, H. Security Threats and Solutions for Two Dimensional Barcodes: A Comparative Study. In Computer and Network Security Essentials; Kevin, D., Ed.; Springer: Berlin/Heidelberg, Germany, 2018; pp. 207–219. [Google Scholar]
  7. DroidLa. QR Droid Private. 2016. Available online: http://qrdroid.com/ (accessed on 16 April 2020).
  8. Wahsheh, H.; Luccio, F. Evaluating Security, Privacy and Usability Features of QR Code Readers. In Proceedings of the 5th International Conference on Information Systems Security and Privacy (ICISSP 2019), Prague, Czech Republic, 23–25 February 2019; pp. 266–273. [Google Scholar]
  9. Yao, H.; Shin, D. Towards Preventing QR Code Based for Detecting QR Code Based Attacks on Android Phone Using Security Warnings. In Proceedings of the 8th ACM SIGSAC ASIA CCS, Hangzhou, China, 7–10 May 2013; pp. 341–346. [Google Scholar]
  10. Google. Google Safe Browsing API, Website. Available online: https://developers.google.com/safe-browsing/ (accessed on 16 April 2020).
  11. Phishtank. Phishtank API, Website. Available online: https://www.phishtank.com/ (accessed on 16 April 2020).
  12. Krombholz, K.; Frühwirt, P.; Rieder, T.; Kapsalis, I.; Ullrich, J.; Weippl, E. QR Code Security–How Secure and Usable Apps Can Protect Users Against Malicious QR Codes. In Proceedings of the 2015 10th International Conference on Availability, Reliability and Security (ARES), Toulouse, France, 24–27 August 2015; pp. 230–237. [Google Scholar]
  13. Dudheria, R. Evaluating Features and Effectiveness of Secure QR Code Scanners. In Proceedings of the International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), Nanjing, China, 12–14 October 2017; pp. 40–49. [Google Scholar]
  14. KasperSky Lab. QR Code Reader and Scanner: App for Android. 2018. Available online: https://free.kaspersky.com/?cid=acq-gplay-lnk#mobile (accessed on 16 April 2020).
  15. G Data Software AG. G DATA QR Code Scanner. 2018. Available online: https://www.gdata.de/ (accessed on 16 April 2020).
  16. Google Inc. Google Play Store. 2018. Available online: https://play.google.com/store?hl=en (accessed on 16 April 2020).
  17. NortonMobile. Norton Snap QR Code Reader. 2016. Available online: https://support.norton.com/sp/en/us/home/current/solutions/v64691018_EndUserProfile_en_us?client=norton&site=nrtn_en_US (accessed on 16 April 2020).
  18. Trend Micro. QR Scanner-Free, Safe QR Code Reader, Zero Ads. 2018. Available online: https://www.trendmicro.com/en_us/business.html (accessed on 16 April 2020).
  19. FANSec Lab Apps. Secure QR Code Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.fansec.lab.security.secureqrcodescanner (accessed on 16 April 2020).
  20. Madiff Net. QR & Barcode Security. 2017. Available online: https://play.google.com/store/apps/details?id=com.trustbookin.qrcodebarcodesecurity (accessed on 16 April 2020).
  21. Dennings. Safe QR-Scanner & Generato. 2018. Available online: http://www.dennings.org/ (accessed on 16 April 2020).
  22. KidControl Dev. Safe GeoTag QR Scanner. 2018. Available online: https://web.facebook.com/GeoTagQR?_rdc=1&_rdr (accessed on 16 April 2020).
  23. Tengler, D. Crypto Message. 2018. Available online: https://play.google.com/store/apps/details?id=cz.crypto_message_free.apk (accessed on 16 April 2020).
  24. Avira. Free QR Scanner. 2018. Available online: https://www.avira.com/ (accessed on 16 April 2020).
  25. Browser Extension. QR Code Scanner & Barcode Reader for CM Browser 2018. Available online: http://www.cmcm.com/en-us/ (accessed on 16 April 2020).
  26. SECUSO Research Group. QR Scanner (Privacy Friendly). 2016. Available online: https://secuso.aifb.kit.edu/index.php (accessed on 16 April 2020).
  27. X and C Hi-Tech Inc. Scan 2D Social QR Code Scanner. 2016. Available online: http://www.scan2d.com/static/index.html (accessed on 16 April 2020).
  28. iTechSol. Secure QR Barcode Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.scanner.qr.barcode.reader.bar.codes (accessed on 16 April 2020).
  29. Red Dodo. QR & Barcode Reader (Secure). 2014. Available online: http://reddodo.com/qr-barcode-scanner.php (accessed on 16 April 2020).
  30. Tokoware. Private QR Reader Free. 2016. Available online: http://www.tokoware.com/ (accessed on 16 April 2020).
  31. FancyApp. QR Code Reader Extreme. 2018. Available online: https://play.google.com/store/apps/details?id=com.fancyapp.qrcode.barcode.scanner.reader (accessed on 16 April 2020).
  32. TeaCapps. QR & Barcode Reader. 2018. Available online: https://play.google.com/store/apps/details?id=com.teacapps.barcodescanner (accessed on 16 April 2020).
  33. Ecrubit Consultancy Service. EC QR. 2018. Available online: http://www.ecrubit.com/ (accessed on 16 April 2020).
  34. Application4u. Lightning QRcode Scanner. 2018. Available online: http://ww7.application-4u.com/ (accessed on 16 April 2020).
  35. Scan. QR Code Reader. 2016. Available online: https://www.scan.me/ (accessed on 16 April 2020).
  36. ZXing Team. Barcode Scanner. 2017. Available online: https://github.com/zxing/ (accessed on 16 April 2020).
  37. Geeks.Lab.2015. Barcode Scanner Pro. 2018. Available online: https://play.google.com/store/apps/details?id=com.geekslab.qrbarcodescanner.pro (accessed on 16 April 2020).
  38. Gamma Play. QR & Barcode Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.gamma.scan (accessed on 16 April 2020).
  39. Barcode Scanner. QR & Barcode Scanner. 2018. Available online: https://barcodescannerblog.wordpress.com/ (accessed on 16 April 2020).
  40. EZ to Use. Free QR Scanner: Bar Code Scanner & QR Code Reader. 2018. Available online: https://play.google.com/store/apps/details?id=app.qrcode (accessed on 16 April 2020).
  41. I-Plex Technology. Fastest QR Barcode Reader: Scanner And Generator. 2018. Available online: https://play.google.com/store/apps/details?id=com.iplextech.barcode.scanner (accessed on 16 April 2020).
  42. ECO MOBILE VN. QR Code Scanner: Barcode Scanner & QR Code Reader. 2019. Available online: https://play.google.com/store/apps/details?id=com.vtool.qrcodereader.barcodescanner (accessed on 16 April 2020).
  43. Gfects. G-scan QR Code and Barcode Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.gscan.app (accessed on 16 April 2020).
  44. Gfects. G-tos NFC Writer and QR Code and NFC Reader. 2019. Available online: https://play.google.com/store/apps/details?id=com.gfects.app (accessed on 16 April 2020).
  45. TWMobile. QR code reader QR Code Scanner. 2019. Available online: https://play.google.com/store/apps/details?id=tw.mobileapp.qrcode.banner (accessed on 16 April 2020).
  46. Duy Pham (MMLab). QR Code Reader no Ads. 2019. Available online: https://play.google.com/store/apps/details?id=com.duyp.vision.qrcode.reader (accessed on 16 April 2020).
  47. bestdeveloperteam. QR Code Scanner. 2019. Available online: https://play.google.com/store/apps/details?id=com.barcodereader.qrcodereader (accessed on 16 April 2020).
  48. Barcode Scanner. Barcode Scanner. 2019. Available online: https://play.google.com/store/apps/details?id=com.qrcodescanner.barcodescanner (accessed on 16 April 2020).
  49. Mobile Ecology Group. QR Scanner Pro: All QR & Barcode. 2019. Available online: https://play.google.com/store/apps/details?id=qrcode.reader.qrcode.scanner (accessed on 16 April 2020).
  50. Hauyu. SmartScan QR Scanner & QR Code Scanner Smart Scan. 2019. Available online: https://play.google.com/store/apps/details?id=qr.barcode.reader.scanner.tool (accessed on 16 April 2020).
  51. Best App-Top Droid Team. QR code reader-QR Code & Barcode Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.tohsoft.qrcode (accessed on 16 April 2020).
  52. Net2user Team. Net2user QR Code Scanner. 2019. Available online: https://play.google.com/store/apps/details?id=com.net2user.qrscanner (accessed on 16 April 2020).
  53. 1MB. QR Scanner & Barcode Scanner 2019. 2019. Available online: https://play.google.com/store/apps/details?id=com.kitkats.qrscanner (accessed on 16 April 2020).
  54. Best App-Top Droid Team. QR Code Reader- Barcode Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.tohsoft.qrcode.lite (accessed on 16 April 2020).
  55. Maheshandsons. My Secure Qrcode Generator & Barcode Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.mandsons.QrCodeScanner (accessed on 16 April 2020).
  56. Big Ocean Studio. QR Code Scanner & Code Reader-Scan Barcode. 2019. Available online: https://play.google.com/store/apps/details?id=com.bigoceanstudio.qr.code.scanner.code.reader.scan.barcode (accessed on 16 April 2020).
  57. hopesj0314. QR CODE READER- Easy, Fast and Free. 2019. Available online: https://play.google.com/store/apps/details?id=com.hopej.android.go (accessed on 16 April 2020).
  58. turbo01. ScanOne: Barcode and QR Scanner. 2019. Available online: https://play.google.com/store/apps/details?id=com.developer.scanone (accessed on 16 April 2020).
  59. AapniApps. Qr Barcode Scanner: Scan Multiple Codes at once. 2019. Available online: https://play.google.com/store/apps/details?id=com.aapnitech.scannerapp (accessed on 16 April 2020).
  60. Geegle Tech. QRCode-Secure, Free, Simple Barcode Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.yy.adam.qrcode (accessed on 16 April 2020).
  61. National. G.S. Best QR Code & Barcode Scanner. 2019. Available online: https://play.google.com/store/apps/details?id=com.qrcodescan (accessed on 16 April 2020).
  62. Ulterior Services. QR Barcode Scanner and Generator. 2018. Available online: https://play.google.com/store/apps/details?id=com.ulterior.barcodescanner (accessed on 16 April 2020).
  63. Hertikha. QR Code Reader. 2018. Available online: https://play.google.com/store/apps/details?id=com.perfect.codereader (accessed on 16 April 2020).
  64. Dikamjit Borah. Super Ultimate QR Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.dikamjitborah.hobarb.superqrscanner (accessed on 16 April 2020).
  65. Spartan Studio Inc. QR Code Reader, Barcode Scanner: QR Code Generator. 2019. Available online: https://play.google.com/store/apps/details?id=com.qrcodereader.barcode.codescanner.generator (accessed on 16 April 2020).
  66. TPCreative. QR Code & Barcode: Scanner, Reader, Creator. 2019. Available online: https://play.google.com/store/apps/details?id=tpcreative.co.qrscanner.free.release (accessed on 16 April 2020).
  67. HAK Media Team. QR Code Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.hak.qrbarcodescanner (accessed on 16 April 2020).
  68. bghavocapps. QR & Barcode Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.bghavocapps.qrandbarcodecodescannerapp (accessed on 16 April 2020).
  69. SanjoyBiswas. Qr Scanner Pro:Fast & Secure Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.qrdemo (accessed on 16 April 2020).
  70. Apps Wing. Lightning QR Code Scanner: Business Card Generator. 2019. Available online: https://play.google.com/store/apps/details?id=com.appswing.qr.barcodescanner.barcodereader (accessed on 16 April 2020).
  71. 4 Tech Solutions. Barcode Reader: Barcode Scanner- QR Code Scanner. 2019. Available online: https://play.google.com/store/apps/details?id=com.fourtechsolutions.barcodescanner_barcodereader (accessed on 16 April 2020).
  72. PRO APP Master. QR Code Master&Barcode Scanner-Free Safe Fast. 2019. Available online: https://play.google.com/store/apps/details?id=oms.mmc.qrscan (accessed on 16 April 2020).
  73. Karmkeeda labs. Qr Code Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.appybuilder.videosongs733.Barcode (accessed on 16 April 2020).
  74. danny apps. QR Code Reader. 2019. Available online: https://play.google.com/store/apps/details?id=com.qrcode.reader.codebar (accessed on 16 April 2020).
  75. Unger, A. SafeQR. 2018. Available online: https://play.google.com/store/apps/details?id=biz.ungerware.safeqr (accessed on 16 April 2020).
  76. JLeagues. QR Code Reader. 2017. Available online: https://play.google.com/store/apps/details?id=com.zerg.zxing (accessed on 16 April 2020).
  77. Pratik@Devloper. Fast QR and Barcode Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.technicalblogger20.QR_and_Barcode_scanner (accessed on 16 April 2020).
  78. SOLEZERO.COM. QR Code Secret. 2019. Available online: https://play.google.com/store/apps/details?id=com.solezero.android.qrcodesecret (accessed on 16 April 2020).
  79. liliandroid. enQRCode: My Encrypted MSG-QR Code. 2019. Available online: https://play.google.com/store/apps/details?id=com.liliandroid.enqrccmyencryptedmsg (accessed on 16 April 2020).
  80. Green Apple Studio. QR Code Reader. 2019. Available online: https://play.google.com/store/apps/details?id=com.apple.qrcode.reader (accessed on 16 April 2020).
  81. SaiFinTex. Secret QrCode. 2019. Available online: https://apkpure.com/secret-qrcode/org.saifintex.qrcode (accessed on 16 April 2020).
  82. pak developer master. QR Code Scanner & Generator 2019. 2019. Available online: https://play.google.com/store/apps/details?id=qrcode.masterapps.com.pak (accessed on 16 April 2020).
  83. Iterative Solution Limited. Global Input App. 2018. Available online: https://play.google.com/store/apps/details?id=uk.co.globalinput (accessed on 16 April 2020).
  84. Sory Apps. Simple QR Reader-Privacy. 2019. Available online: https://play.google.com/store/apps/details?id=es.soryapps.qrreader (accessed on 16 April 2020).
  85. Tokoware. Private QR Premium. 2016. Available online: https://play.google.com/store/apps/details?id=com.tokoware.privateqrpremium (accessed on 16 April 2020).
  86. Color Phone Team & QR Code Scanner. QR Code Reader Free -QR Reader For Android. 2019. Available online: https://play.google.com/store/apps/details?id=com.maqr.barcode.free.qrandbarcodescanner.mavach.qrcode.reader.qrcodereader.qrcodescanner.quickbarecodescanner (accessed on 16 April 2020).
  87. Krow. QR Code Reader. 2019. Available online: https://play.google.com/store/apps/details?id=krow.dev.qrcode (accessed on 16 April 2020).
  88. InShot Inc. Free QR Scanner- Barcode Scanner, QR Code Reader. 2019. Available online: https://play.google.com/store/apps/details?id=qrscanner.barcodescanner.barcodereader.qrcodereader (accessed on 16 April 2020).
  89. Darren Dodgen. Inspire QR Code. 2019. Available online: https://play.google.com/store/apps/details?id=com.b.greenscanner (accessed on 16 April 2020).
  90. Apps360 Team. QR and Barcode Scanner. 2019. Available online: https://play.google.com/store/apps/details?id=com.qrcode.barcode.scanner.reader.generator.free (accessed on 16 April 2020).
  91. Modulets. Green QR Code Reader. 2018. Available online: https://play.google.com/store/apps/details?id=net.modulets.greenqr (accessed on 16 April 2020).
  92. Buymobile. QR Code Reader and Bar Code Code Reader. 2018. Available online: https://play.google.com/store/apps/details?id=info.recipe.user.qr_bar (accessed on 16 April 2020).
  93. JarDroid. Best QR Code Scanner 2017. 2017. Available online: https://play.google.com/store/apps/details?id=com.qrcodescanner.qrcodegenerator.sacnner (accessed on 16 April 2020).
  94. EasyToolsDev. QR Code and Barcode Scanner-Free & Fast. 2018. Available online: https://play.google.com/store/apps/details?id=com.qrcode.scanner.reader.mobi (accessed on 16 April 2020).
  95. LT TEAM. Smarte: QR Barcode Scanner e Generatore. 2017. Available online: https://play.google.com/store/apps/details?id=com.smarttoolapp.qr.barcode.scanner (accessed on 16 April 2020).
  96. E-swamera. Qr Scanner. 2017. Available online: https://play.google.com/store/apps/details?id=com.scan.qrbarcodeScanner (accessed on 16 April 2020).
  97. Abqarie Studio. QR Code Scanner & Generator. 2018. Available online: https://play.google.com/store/apps/details?id=com.abqarie.qrcodescannerandgenerator (accessed on 16 April 2020).
  98. Rstream Labs. QR Scanner & Barcode Reader PRO. 2018. Available online: https://play.google.com/store/apps/details?id=com.riatech.qrscanner (accessed on 16 April 2020).
  99. Mysirg.net. Lightning QR Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=io.makeroid.sandy148101.QR_Scanner (accessed on 16 April 2020).
  100. LaHaSoft. Best QR code and Barcode Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.lahastudio.barcode&hl=en_US (accessed on 16 April 2020).
  101. Indigo Apps Studio. QR Code Scanner-QR Code Reader & QR Reader: Scanner. 2019. Available online: https://play.google.com/store/apps/details?id=com.indigoapps.qrquickscanner (accessed on 16 April 2020).
  102. MV Group. QR Code Message. 2017. Available online: https://play.google.com/store/apps/details?id=com.collalab.qrcodemessage (accessed on 16 April 2020).
  103. Arth InfoTech. QR Code. 2019. Available online: https://play.google.com/store/apps/details?id=com.myapp.scanner.qercode (accessed on 16 April 2020).
  104. Apps Orange Tech. Inc. QR Reader: Simple QR Code Scanner. 2019. Available online: https://play.google.com/store/apps/details?id=com.qr.code.decoder.scanner.qr.reader (accessed on 16 April 2020).
  105. DEVappy. Pro QR Reader. 2019. Available online: https://play.google.com/store/apps/details?id=com.lyricand.codebar.qrcode (accessed on 16 April 2020).
  106. Sustainable App Developer. QR Code Reader. 2018. Available online: https://play.google.com/store/apps/details?id=com.qrcodereaderapp (accessed on 16 April 2020).
  107. KInc. Bar Code Reader- Generator: Free 2019. 2019. Available online: https://play.google.com/store/apps/details?id=com.kincapps.qrcodescanner (accessed on 16 April 2020).
  108. Habib KHLIFI. QR Code Reader. 2019. Available online: https://apkpure.com/it/qr-code-reader/qr.code.reader (accessed on 16 April 2020).
  109. R2 Development. QR Util-Scan and Create QR. 2019. Available online: https://play.google.com/store/apps/details?id=com.r2devs.qrutil (accessed on 16 April 2020).
  110. AR Inc. QR Coba-QR Code Generator & Scanner. 2019. Available online: https://play.google.com/store/apps/details?id=qrcode.arinc.com.qrcode (accessed on 16 April 2020).
  111. Joe North. QR Code Scanner. 2018. Available online: https://play.google.com/store/apps/details?id=com.north.qrcode.barcode.reader.scanner.free (accessed on 16 April 2020).
  112. mr.newbie limited. EPTLS QR Scan. 2015. Available online: https://play.google.com/store/apps/details?id=com.mrnewbie.eptls (accessed on 16 April 2020).
  113. Gestrs. Gestrs QR Scanner- Ad free, Fast & Secure. 2019. Available online: https://play.google.com/store/apps/details?id=com.qrcodescan.gestrs (accessed on 16 April 2020).
  114. Liu, T.; Yan, B.; Pan, J. Color Visual Secret Sharing for QR Code with Perfect Module Reconstruction. Appl. Sci. 2019, 9, 4670. [Google Scholar] [CrossRef] [Green Version]
  115. European Union Agency for Network and Information Security (ENISA). Algorithms, Key Size and Parameters Report—2014. 2014. Available online: https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 (accessed on 16 April 2020).
  116. Focardi, R.; Luccio, F.; Wahsheh, H.A.M. Usable Cryptographic QR Codes. In Proceedings of the 19th International Conference on Industrial Technology, Lyon, France, 20–22 February 2018; pp. 1664–1669. [Google Scholar]
  117. GitHub. ZXing Project Home. 2018. Available online: https://github.com/zxing/zxing/ (accessed on 16 April 2020).
  118. D’Orazio, C.J.; Choo, K.K.R. A technique to circumvent SSL/TLS validations on iOS devices. Future Gener. Comput. Syst. 2017, 74, 366–374. [Google Scholar] [CrossRef]
  119. Varela-Vaca, A.; Gasca, R.; Ceballos, R.; Gómez-López, M.; Torres, P. CyberSPL: A Framework for the Verification of Cybersecurity Policy Compliance of System Configurations Using Software Product Lines. Appl. Sci. 2019, 9, 5364. [Google Scholar] [CrossRef] [Green Version]
  120. Reeder, R.W.; Felt, A.P.; Consolvo, S.; Malkin, N.; Thompson, C.; Egelman, S. An Experience Sampling Study of User Reactions to Browser Warnings in the Field. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, Montreal, QC, Canada, 21–26 April 2018; p. 512. [Google Scholar]
  121. Focardi, R.; Luccio, F.; Wahsheh, H. Usable Security for QR Code. J. Inf. Secur. Appl. 2019, 48, 102396. [Google Scholar] [CrossRef]
  122. Symantec Corporation. Norton Safe Web. 2018. Available online: https://safeweb.norton.com/ (accessed on 16 April 2020).
  123. Albert, W.; Tullis, T. Measuring the User Experience: Collecting, Analyzing, and Presenting Usability Metrics; Morgan Kaufmann: Amsterdam, The Netherlands, 2013. [Google Scholar]
  124. Gary Perlman. After Scenario Questionnaire. 2018. Available online: http://garyperlman.com/quest/quest.cgi?form=ASQ (accessed on 16 April 2020).
  125. Gary Perlman. Computer System Usability Questionnaire. 2018. Available online: https://garyperlman.com/quest/quest.cgi?form=CSUQ (accessed on 16 April 2020).
  126. Gary Perlman. USE Questionnaire: Usefulness, Satisfaction, and Ease of Use. 2018. Available online: https://garyperlman.com/quest/quest.cgi?form=USE (accessed on 16 April 2020).
  127. Farb, M.; Lin, Y.H.; Kim, T.H.J.; McCune, J.; Perrig, A. Safeslinger: Easy-to-Use and Secure Public-Key Exchange. In Proceedings of the 19th annual international conference on Mobile Computing & Networking, London, UK, 21–25 September 2013; pp. 417–428. [Google Scholar]
  128. StatsDirect Limited. P-Value. 2018. Available online: https://www.statsdirect.com/help/basics/p_values.htm (accessed on 16 April 2020).
Figure 1. Popular QR Code Scanners.
Figure 1. Popular QR Code Scanners.
Information 11 00217 g001
Figure 2. (a) Encoding data in QR Codes. (b) Encrypting and then encoding data in QR Codes.
Figure 2. (a) Encoding data in QR Codes. (b) Encrypting and then encoding data in QR Codes.
Information 11 00217 g002
Figure 3. Screenshot of a BarSec Droid Android application.
Figure 3. Screenshot of a BarSec Droid Android application.
Information 11 00217 g003
Table 1. Details of the Tested QR Code Readers.
Table 1. Details of the Tested QR Code Readers.
App DeveloperVersionInstallsCategoryRate1D/2DFormat
[7]7.0.45 M+Crypto and Popular4.2
[14]1.2.4.511 M+URL and Popular4.4QR
[15]1.0.2.0643c6ef10 K+URL3.3QR
[17]2.0.0.711 M+URL and Popular4.2
[18]1.0.010 K+URL4.8
[19]1.110+URL5
[20]1.2100+Crypto5
[21]1.0.171 K+URL4.1a
[22]1.05 K+URL4.4
[23]Free b100+Crypto5QR
[24]2.5.0100 K+URL4.3
[25]1.0.0100 K+URL4.3QR
[26]1.6.110 K+Save-Privacy4.4
[27]2.4.3500 +URL4.1
[28]1.15 +URL and Save-Privacy
[29]1.03500 K+Weak3.8
[30]1.1.710 K+Save-Privacy4.2
[31]2.1.65 M+Popular and Weak4.5
[32]1.3.1-L1 M+URL, Popular and Save-Privacy4.6
[33]1.0.21 +Crypto
[34]1.7.610 M+Save-Privacy and Popular4.7
[35]2.3350 M+Popular and Weak4
[36]Varies with device100 M+Popular4.1
[37]1.2.9110 M+Popular4.6
[38]Varies with device50 M+Popular and Save-Privacy4.4
[39]1.255 M+Popular4.4
[40]0.9210 M+Popular4.6
[41]1.0.51 K+Crypto5
[42]1.0.12500 K+Weak4.4
[43]1.1.51 K+URL4.4c
[44]2.2.1810 K+URL4.2c
[45]3.0.850 M+Popular4.5
[46]2.0.3100 K+Weak4.7
[47]2.01 M+Weak4.0
[48]1.385 M+Popular and Weak4.3
[49]1.11 M+URL and Popular4.6
[50]1.1.24100 K+Weak4.3
[51]1.171 M+Popular and Weak4.7
[52]3.410 +Save-PrivacyN/Aa
[53]1.9.410 M+Popular3.8
[54]1.0100 K+Weak4.6
[55]1.0100 +Weak4.5
[56]1.01 K+Weak4d
[57]6.0.0500 K+Weak4.6
[58]1.0.110 +Save-Privacy5
[59]1.14-lite10 K+Weak4.3
[60]1.31 +WeakN/A
[61]1.00 +WeakN/AQR
[62]1.1100 +Weak5
[63]1.0.11 +WeakN/A
[64]1.210 +Save-Privacy5
[65]1.0.410 K+Weak
[66]1.4.45 K+Weak4.6
[67]1.610 K+Weak4.2
[68]1.0100 +Weak3.7d
[69]1.010 +Save-Privacy5QR
[70]1.2.61 M+Popular and Weak3.9
[71]1.0.1410 K+Save-Privacy4.7
[72]1.0.110 K+Weak3
[73]1.010 +Save-Privacy5
[74]2.0.0500 +WeakN/A
[75]1.0.3.18100+Save-Privacy4.2
[76]1.010 +WeakN/A
[77]1.05 +Save-PrivacyN/A
[78]1.210+CryptoN/AQR
[79]1.010 +CryptoN/AQR
[80]1.10.30105 M+Popular and Weak4.7
[81]2.0.05 +Crypto5
[82]1.31 K+Weak4.9
[83]2.0.250 +Crypto and Save-Privacy5a
[84]1.2.110 K+Weak4.5
[85]1.0.110 +Save-PrivacyN/A
[86]1.0.4100 K+Save-Privacy4
[87]1.010 +Save-PrivacyN/A
[88]1.0.81 M+Popular and Weak4.5
[89]1.1.010 K+Weak2.9
[90]1.1.550 K+Weak4.6
[91]1.2.0.2500 +Save-Privacy3.3
[92]1.010 +Save-Privacy5
[93]1.31 K+Weak3.5
[94]1.4.1550 K+Weak4.1
[95]1.05 K+WeakN/AQR
[96]1.05 K+Weak3.6
[97]3.050+Weak5
[98]1.0.5500+Weak4.1
[99]3.010 K+Save-Privacy4.3
[100]1.01100 K+Weak4.3
[101]1.4.1210 K+Weak4.6
[102]1.05 K+Weak2.5
[103]1.050+WeakN/A
[104]1.01 K+Save-Privacy4.8QR
[105]1.0.1100+Weak4.5
[106]1.0.71 M+Save-Privacy and Popular4.6
[107]1.0.91 K+Weak4.8
[108]1.01 +Save-PrivacyN/A
[109]1.0.45 +WeakN/AQR
[110]1.010 +Weak5
[111]1.0.410 K+Weak4.6
[112]1.250 +Save-PrivacyN/A
[113]1.01 +Weak5
a Always displays QR code; b Free version to test functionality; c Displays barcode image; d Two buttons to read 1D barcode or QR code.
Table 2. Barcode Scanners that check URLs contained Inside QR codes.
Table 2. Barcode Scanners that check URLs contained Inside QR codes.
App DeveloperCheck URLDisplay URLGet Full URLDirect OpenURL Checking Technique
[14] aKasperSky Virusdesk
[15] N/A
[17]aNorton Safe Web
[18] N/A
[19] N/A
[21] Google Safe Browsing
[22] N/A
[24] N/A
[25] CM browser
[27] aN/A
[28] N/A
[32] Google Safe Browsing
[43] N/A
[44] N/A
[49] N/A
a Directly opens the URL if it is safe. N/A means not available.
Table 3. Crypto-based QR Code Scanners.
Table 3. Crypto-based QR Code Scanners.
App DeveloperEncryptionDSAlgKL (Bits)EncSStr
[7]XDES56Base64Keyword
[20]XN/A48Base64N/A
[23]XAES128,192 & 256Base64 & hexN/A
[33]XN/AN/ABase64N/A
[41]XN/AN/ABase64N/A
[78]XN/AN/ABase64N/A
[79]XN/AaBase64N/A
[81]XN/AN/ABase64N/A
[83]XN/AN/ABase64N/A
a Pin number (4 digits).
Table 4. Save-Privacy Apps with the Least-Privilege Permissions.
Table 4. Save-Privacy Apps with the Least-Privilege Permissions.
App DeveloperCameraNetworkWi-Fi
[26]
[28]
[30]
[32]
[34]
[38]
[52]
[58]
[64]
[69]
[71]
[73]
[75]
[77]
[83]
[85]
[86]
[87]
[91]
[92]
[99]
[104]
[106]
[108]
[112]
Table 5. Permissions of Tested QR Code Readers.
Table 5. Permissions of Tested QR Code Readers.
App DeveloperDevHisContLocPhnFilesStgCamWi-FiDevInfNet
[7]
[14]
[15]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[27]
[29]
[31]
[33]
[35]
[36]
[37]
[39]
[40]
[41]
[42]
[43]
[44]
[45]
[46]
[47]
[48]
[49]
[50]
[51]
[53]
[54]
[55]
[56]
[57]
[59]
[60]
[61]
[62]
[63]
[65]
[66]
[67]
[68]
[70]
[72]
[74]
[76]
[78]
[79]
[80]
[81]
[82]
[84]
[88]
[89]
[90]
[93]
[94]
[95]
[96]
[97]
[98]
[100]
[101]
[102]
[103]
[105]
[107]
[109]
[110]
[111]
[113]
Table 6. BarSec Droid Specification.
Table 6. BarSec Droid Specification.
FeatureSupportedKey Length (Bits)
EncryptionAES a128–256
Digital SignatureECDSA256
RSA1024
2048
3072
HMAC128, 256 & 384
Encoding SchemeISO-8859-1-
StructureJSON-
URL Checkingb-
Compatibilityc-
a CBC, OFB, CFB and GCM; b Norton safe web; c Supports QR codes generated by other apps.
Table 7. T-test Results for BarSec Droid vs. QR Droid Private.
Table 7. T-test Results for BarSec Droid vs. QR Droid Private.
Easy to UseTime SatisfactionSupport info
Satisfaction
Security
of App
Likely
to Use
Visually AppealingFlexibleRecommendedEffectivelyEfficiently
BarSec Droid4.2 ± 0.13.6 ± 0.23.0 ± 0.23.8 ± 0.24.0 ± 0.22.8 ± 0.23.4 ± 0.23.7 ± 0.23.5 ± 0.23.8 ± 0.2
[7]2.6 ± 0.23.7 ± 0.23.8 ± 0.22.4 ± 0.22.8 ± 0.13.6 ± 0.23.3 ± 0.23.1 ± 0.22.7 ± 0.23.2 ± 0.2
p-value0.0000.6470.0010.0000.0000.0220.8420.0140.0070.019

Share and Cite

MDPI and ACS Style

Wahsheh, H.A.M.; Luccio, F.L. Security and Privacy of QR Code Applications: A Comprehensive Study, General Guidelines and Solutions. Information 2020, 11, 217. https://doi.org/10.3390/info11040217

AMA Style

Wahsheh HAM, Luccio FL. Security and Privacy of QR Code Applications: A Comprehensive Study, General Guidelines and Solutions. Information. 2020; 11(4):217. https://doi.org/10.3390/info11040217

Chicago/Turabian Style

Wahsheh, Heider A. M., and Flaminia L. Luccio. 2020. "Security and Privacy of QR Code Applications: A Comprehensive Study, General Guidelines and Solutions" Information 11, no. 4: 217. https://doi.org/10.3390/info11040217

APA Style

Wahsheh, H. A. M., & Luccio, F. L. (2020). Security and Privacy of QR Code Applications: A Comprehensive Study, General Guidelines and Solutions. Information, 11(4), 217. https://doi.org/10.3390/info11040217

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop