Security and Privacy of QR Code Applications: A Comprehensive Study, General Guidelines and Solutions

: The widespread use of smartphones is boosting the market take-up of dedicated applications and among them, barcode scanning applications. Several barcodes scanners are available but show security and privacy weaknesses. In this paper, we provide a comprehensive security and privacy analysis of 100 barcode scanner applications. According to our analysis, there are some apps that provide security services including checking URLs and adopting cryptographic solutions, and other apps that guarantee user privacy by supporting least privilege permission lists. However, there are also apps that deceive the users by providing security and privacy protections that are weaker than what is claimed. We analyzed 100 barcode scanner applications and we categorized them based on the real security features they provide, or on their popularity. From the analysis, we extracted a set of recommendations that developers should follow in order to build usable, secure and privacy-friendly barcode scanning applications. Based on them, we also implemented BarSec Droid, a proof of concept Android application for barcode scanning. We then conducted a user experience test on our app and we compared it with DroidLa, the most popular/secure QR code reader app. The results show that our app has nice features, such as ease of use, provides security trust, is effective and efﬁcient.


Introduction
Barcodes are a universal technology that provides visual data representation using series of lines, squares or dots, organized in a standard way. The barcode image contains information that identifies and describes the object it is associated to. In order to extract the encoded data, the user needs a barcode scanner, i.e., an optical machine that has imaging and processing capabilities (a camera and a processor). The barcode scanners can be specific devices or smartphone reader applications, and they require a Line-of-Sight to capture the barcode image and retrieve the stored data [1].
Two dimensional (2D) barcodes are machine readable images that enhance many features of the traditional one dimensional (1D) barcodes, such as more data capacity and robustness, and so are suitable for industrial and economic purposes. They can be used in a simple and effective way to achieve communication between physical objects (such as paper-based surfaces), and the digital ones (e.g., smartphones) [2].
Quick Response (QR) codes are particular 2D barcodes that have spread dramatically over the last few years, and they are considered free, simple and effective tools capable to store up to 2953 bytes that can be retrieved quickly [3]. Recently, new types of QR codes have been proposed that have a beautified appearance and a higher capacity [4]. QR codes allow users to extract data in three main modes: online, offline or in a combination of modes. For example, users can use QR codes to connect to websites, to send emails or read SMS, to save contact numbers, find map coordinates, listen to audio, or watch videos, etc. [5].
Recent studies show that barcodes can be maliciously used to run different attacks such as: phishing, malware propagation, cross-site scripting (XSS), SQL/command injection and reader applications attacks (see, e.g., [6]). Several QR code reader applications claim to provide security and privacy characteristics. In our opinion, it is important to categorize, evaluate and discuss the feature of these applications. In this study, we thus analyse 100 barcode scanner applications from a security and privacy perspective. According to our analysis, there are some apps that provide security services including URL checking and cryptographic solutions. Other apps guarantee user privacy by adopting least privilege permission lists. However, there are also apps that deceive the users by providing security and privacy protections which are weaker than what is claimed. We also analyze the most popular downloaded apps, since being popular does not imply being secure. Based on that, we classify the apps into five groups: URL Security, Crypto-based security, Popular, Save privacy, Weak applications. We recommend a set of tips for developers to build usable, secure and privacy-friendly applications and we used them to implement BarSec Droid, a proof of concept Android application for barcode scanning. Finally, we have conducted different experiments to evaluate user experience on our app compared to DroidLa, the most popular/secure QR code reader [7]. The results show that applying the design tips will increase the user security trust, improve the user attitude towards applying security solutions, and increase the awareness of possible attacks. This paper is an extended version of [8].

Contributions
Our contributions can be summarized as follows: (i) we present the most comprehensive analysis of 100 barcode scanner applications from security and privacy perspectives; (ii) we categorize barcode scanner applications into five groups based on the security features they provide or on their popularity; (iii) we propose usability, security and privacy recommendations for the development of barcode scanners; (iv) we present BarSec Droid, a proof of concept QR code Android application that we have developed; (v) we present the results of a user experience test on BarSec Droid and on DroidLa the most popular/secure QR code reader, and we discuss the comparison results.

Related Work
In the literature, there are some works that analyze QR code scanner applications, however, they take into consideration only a very limited number of them. To the best of our knowledge, our work contains the most comprehensive analysis of security and usability features of QR code readers (we have studied 100 applications).
In [9], the authors investigate the security features of 31 Android QR code scanner apps, w.r.t. phishing and malware attacks. Twenty-three out of 31 apps ask user permission before visiting the encoded QR code URLs. Only two QR code scanners, Norton Snap and QR Pal, provide some security warnings but have very poor detection capabilities of link-based phishing and malware attacks. Therefore, the authors propose SafeQR app which employs two security APIs, Google safe browsing and Phishtank [10,11] to enhance the detection rate of malicious URLs. However, w.r.t. our work, the study of [9] does not discuss the usability and privacy properties, and does not provide solutions for other attacks such as, e.g., SQL and command injections.
The study of [12] focuses on QR code security, usability and privacy issues. The authors initially study the 12 most frequently used QR code reader applications for Android, iOSand Windows Phone, w.r.t. security protection and privacy violations. The results show the inefficiency of protection methods against malicious QR codes and the lack of privacy protection (sensitive data were sent to third parties). In the second part of the work, the authors assess user knowledge about QR code security by using an online questionnaire. The results show differences between users of different European countries, and also underline the need of security improvements in the QR code processing phase. Finally, the authors propose a set of design recommendations to improve usability and security of QR code scanners. The authors present a prototype that checks the online content and adopts digital signatures, and the results show the efficiency of the protection recommendations. W.r.t. to our work, the study of [12] analyzes only a small number of applications and does not consider the expected size or delay overhead of applying digital signature mechanisms.
The study of [13] focuses on 14 Android QR code scanners, explores their security proprieties, and shows limited capabilities and weaknesses of several apps from a protection point of view. In particular, some apps directly visit the URL encoded in the barcorde, neither validating it against threat databases, nor asking user's permission, thus putting users at a risk of being redirected to malicious websites. Only two apps, KasperSky [14] and G Data QR code [15] perform validation of the full URL, and only 8 out of 14 analyzed apps provide security features against phishing and malware attacks. Finally, the author gives some tips on how to enhance the protection of barcode readers, but, w.r.t. our work, does not analyze them from a usability perspective.

Paper Structure
The rest of this paper is organized as follows: Section 2 introduces our research methodology, while Section 3 presents QR code reader applications and categorize them based according to their properties. In Section 4, we evaluate all tested barcode reader applications in terms of granted permissions. In Section 5, we first illustrate our recommendations for the development of secure, usable and privacy-friendly QR code readers, and we then present BarSec Droid, our implemented reader application. Section 6 shows a user experience test on our app, and finally, in Section 7 we present the conclusion and future work.

Research Methodology
In this section, we present the research methodology that we used, and we emphasize the differences with our previous work [8]. Our methodology includes the following six main steps: 1. Application selection: We have searched inside Google Play Store for Android secure and privacy-friendly barcode reader applications and we have selected 100 of them. This extends the work of [8] were we only considered 28 apps. 2. Information gathering: We have extracted all the features and permissions from the app descriptions. 3. Application tests: We have installed the apps, evaluated them and compared their capabilities w.r.t. the app descriptions. 4. Application Categorization: According to the app features, we have divided them into five different groups, refining the categorization of [8]; 5. Recommendation proposal: We have listed guidance tips for developers to build secure and privacy-friendly barcode reader apps; 6. User security and usability awareness evaluation: We have conducted a user survey to evaluate the user experience. This survey extends the one of [8], as it was refined and the number of proposed questions was increased.

QR Code Readers
Exploring Google Play Store [16] for secure QR code readers lead to a selection of more than 100 apps. All these apps support the standard scanning service but some of them also claim to provide security features. According to [12] most barcode scanners apps are not able to protect users against the selection of malicious QR codes, or against privacy violations. In this study, we aim at studying barcode reader applications from security, privacy and usability perspectives. Our preliminary results in [8] showed that several apps, use weak security mechanisms, e.g., weak algorithms or short key lengths. Moreover, several apps do not follow standard structures or optimal encoding schemes.
Our proposed app, in Section 5 overcomes all these limitations.

URL Security Applications
Embedding barcodes with malicious links is one of the most common attacks that targets a user device. In this section, we presents QR code readers that provide security services on links, by checking the encoded online content. Multiple technologies can be used for detecting malicious URLs, e.g., Artificial Intelligence techniques, black and white lists, etc., however, in this context, we do not focus on the adopted technology but on the features provided by the readers.
G Data QR code reader [15] is a free Android application that checks the online content of a QR code, detects suspicious links, shows the complete URL and extends short ones, and blocks users from visiting unsafe URLs in their browser [13].
KasperSky QR Scanner [14] is a free app that checks QR code URLs against malicious Web pages. The app description does not provide any detail regarding the used protection methods, and the main limitation of the app is that it allows to directly visits links, detected as benign, without asking for user confirmation [13].
The Norton Snap QR code scanner [17] is another application that validates QR code URLs against Web attacks. This app alerts users for benign/malicious links, blocks malicious URLs, and retrieves the full encoded URL.
QR Code Scanner & Barcode Reader for CM Browser [25] is a lightweight QR code scanner based on the CM browser: it is the browser itself that provides security services, checks URLs, and blocks advertisements.
TeaCapps barcode scanner [32] checks URLs by employing Chrome Custom Tabs, which uses Google Safe Browsing technology [10].
G-Scan and G-tos scan barcode scanners [43,44] check URLs, alert users in case of malicious links and gets the full expanded URLs. Table 2 presents a comparison of barcode scanners that provide security by checking URLs embedded in QR codes. The main limitation of these apps is that URL-checking scanners works against online attacks, by detecting malicious/suspected Web pages, while other offline attacks such as SQL and command injections cannot be prevented. Moreover, some of these applications do not provide information about their URLs checking techniques, i.e., how they classify URLs into benign or malicious.

Crypto-Based Security Applications
Cryptographic mechanisms can be used to encrypt, sign and control the access to QR code content. Adopting data encryption provides confidentiality and access control for the encoded contents, so that only the authorized users (who have the decryption key) can retrieve the encoded data. Moreover, digital signatures can achieve authentication, integrity and non-repudiation. Recent studies also investigate the use of Visual Secret Sharing schemes for QR Code, to provide additional security mechanisms, e.g., to online transaction [114]. Choosing the suitable algorithm, key length and structure are discussed in multiple studies [6,115], but the key factor on barcode usability is the size overhead [116]. However, there are few applications that offer generating and reading cryptographic QR codes.
Madiff Net reader application [20] is free and available in several languages, such as: English, Vietnamese and Chinese. Madiff Net supports scanning and generating password-protected QR codes, in which the content is encrypted using a shared key between the generator and the barcode reader. The developer does not mention the used algorithm but keys are 6 bytes of length, and the ciphertext is a base 64 string. Since the algorithm is unknown, we cannot evaluate the strength of this app. In addition, Madiff Net uses a base 64 encoding scheme for bytes inside QR codes which causes size overhead.
QR Droid Private [7] is a free, well-designed interface, which provides scanning and QR code generation services. This app supports URL shortening, QR code sharing and content encryption. QR Droid Private adopts a weak encryption algorithm, i.e., Data Encryption Standard (DES) with breakable key size of 56 bits. It uses a keyword structure, in which the ciphertext is encoded in base 64. There are two versions, private and full. The private version needs few permissions to generate QR codes, while the full version needs more permissions.
Crypto Message [23] is a security application that supports an encryption service for encoding text messages inside QR codes. This application offers the creation of QR codes in the free version, while decoding requires the paid version. It adopts Advanced Encryption Standard (AES) with four modes that include: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Counter (CTR), and Output Feedback (OFB) modes. It uses key size of 128, 192 and 256 bits, and encodes ciphertexts as hexadecimal or base 64 strings. Finally, Crypto Message is not able to decode barcodes that are created by other applications.
The algorithm, the key size and the structure of EC QR [33,41,78,79,81,83] are not available and cannot be evaluated. However, the developers claim they support message encryption and other security features.
Observe that, all the above mentioned applications have some limitations: (1) They assume no standard method of encoding cryptographic data in QR codes, i.e., each application adopts its own structure. Thus, in order to decode a crypto-barcode, the user will need to use the same generating application, while, on the other hand, the study of [116] suggests the use of the standard JavaScript Object Notation (JSON) as a general structure to be used with crypto-QR codes. (2) Some of these applications use weak encryption algorithms such as: DES and AES-ECB. (3) These applications employ base 64 and hexadecimal strings to represent ciphertexts, which lead to size overhead.
The password-protected QR codes achieve confidentiality and access control, so that only authorized users who have the key (password) can decrypt and access contents. However, encrypting the contents is not the optimal mechanism to protect users who scan the QR code, since even encrypted data may include malicious URLs or offline attacks. Digital Signature can be useful to protect users, as it employs public-key cryptography, to validate authentication, integrity and non-repudiation of QR code contents [116]. Table 3 presents a summary of crypto-based QR code scanners and it includes the app developer, encryption, digital signature (DS), algorithm (Alg), key length (KL), encoding scheme (EncS), and structure (Str).
Note that, these applications offer a single access control mechanism, the encoded data may either be public (plain text) or private (ciphertext), thus they do not support QR codes that have an encryped part and a plaintext at the same time. Moreover, none of the applications support digital signature.

Popular Applications
In this section, we explore the most popular QR code scanner applications that have been downloaded by more than 1 million users (see Figure 1). Note that, popular apps may be included in the other groups, for example Norton Snap [17] and KasperSky [14] are included in the URL security group, as well as in the Popular applications group (see Table 1). The ZXing library [117] ("zebra crossing") is a Java source image processing library that is compatible with several 1D and 2D barcodes and used with various popular applications such as: ZXing Barcode Scanner [36], Barcode Scanner Pro (10M downloads) [37], and Barcode Scanner [39] (5M downloads).
ZXing Barcode Scanner [36] is one of the most popular downloaded applications, with more than 100 million users. It employs [117], shows the barcode format and offers extra information about embedded links such as: title and redirections.
Other applications that have nearly the same functionalities, and are able to read 1D and 2D barcodes are QR & Barcode Scanner by [35,38,45] that recorded more than 50M downloads. Moreover, free QR Scanners Bar Code Scanner & QR Code Reader [40,53] recorded 10M downloads. Private version of [7,31,80], recorded more than 5 M downloads.
Note that, being popular is not enough to be usable and secure. So we have investigated the popular applications also from security perspective. [14,17,49] belong to URL and popular groups, while [34,38,106] belong to popular and Save-Privacy groups. [7] belongs to Crypto and Popular, and [32] belongs to three groups, i.e., URL, Popular and Save-Privacy. Moreover, we have also evaluated all tested apps from privacy perspectives (see Tables 4 and 5).

Save-Privacy Applications
Using a barcode reader application involves asking for user permissions, a list of allowed services and resources that the app can use, e.g., contacts, media files, camera or microphone. Granting these permissions allows the app to facilitate the barcode usage, e.g., saving a phone number directly without copy and paste. However, giving permissions can be extremely dangerous, especially from a privacy perspective, as an attacker may access private data and may run an information leakage attack. The problem of correctly configuring systems so to protect the user privacy is a very challenging task in general and has been widely studied also in other contexts, e.g., to correctly configure TLS/SSL connections in mobile applications [118], or to configure products and systems in the software industry [119]. In this section, we will illustrate the available apps that adopt balanced permissions that meet the privacy requirements. In the context of QR codes, we need standard architectural choices for developers to build privacy-friendly applications, with minimal permissions include accessing the camera (to scan the barcode), and the network (if there is a need to check URLs). Table 4 shows the Save-Privacy apps with the least-privilege permissions. Permissions are: TeaCapps Scanner [28,32] are examples of apps that support checking QR code online contents, alongside with less permissions (camera and Internet). QR Scanner (Privacy Friendly) [26], Tokoware [85], Krow QR Code Reader [87], and Habib Khlifi QR Code Reader [108] are all QR code readers that only ask camera permission. If users are interested in privacy, these are the suitable application. They are safe and fully compatible with Android devices.
Tokoware [30], Lightning QR code Scanner [34,52,64,69,75,83,91,92,104,112] require access to the camera and to the network. Thus, all these applications are suitable for users who aim at protecting their privacy. Some other apps in Table 4 such as: [38,58,71,73,77,99,106] also ask for Wifi permission that should not violate the user privacy.

Weak Applications
In this section, we present apps that try to deceive the users by claiming strong security-privacy features, without providing any real protection. These apps employ misleading terms such as data encryption and decryption, while they do not provide real cryptographic mechanisms (False encryption) and refer to these terms to indicate data encoding and decoding in QR codes such as: [102,103,109]. Here it is important to mention that data encoding means representing data in QR code modules, where any QR code scanner can retrieve (decode) the contents directly without any specific key (see part (a) in Figure 2). On the other hand, data encryption means transforming data (plaintext) into an encrypted message (ciphertext), that only authorized users who have secret key can decrypt (see part (b) in Figure 2). Moreover, some apps' descriptions indicate security and privacy features, while testing them shows that they do not really provide the claimed features such as [51,63,80,101,105,107,110,111]. Other apps claim they are privacy-friendly but ask for potential permissions that can be used in information leakage attacks, such as: [29,31,35,42,[46][47][48]50,[54][55][56][57][59][60][61][62][65][66][67][68]70,74,76,84,[88][89][90][93][94][95][96][97][98]100,113]. More details will be given in the next section.

Permissions and Privacy Evaluation
Reviews on barcode applications generally show dissatisfaction when applications require unneeded permissions. As an example, we cite a user review of [35] application. A user wrote: "Why do you now need access to my location, photos, media and files? It worked perfectly in the past without these permissions and I see no reason to have them". This comment shows how limiting permissions can be an important feature.
For this reason, we have decided to evaluate all the tested barcode reader applications in terms of granted permissions. Table 5 shows the requested permissions for all our 100 tested applications excluding the apps that we already analyzed in Table 4. These permissions include getting access to:

Secure and Usable Barcode Reader Applications
In this section we first discuss possible design recommendation to develop secure and usable barcode reader applications, and we then present BarSec Droid, a new application that follows this guidelines and has good user feedbacks.

Design Recommendation
Based on our assessment for the existing 100 barcode scanners, on limits and drawbacks previously mentioned, and based on suggestions proposed in other works [116,120] we recommend the following guidelines to develop secure, usable, and privacy-friendly barcode reader applications:

The BarSec Droid Application
According to the recommendations presented in Section 5.1, we have developed two applications: the BarSec desktop application and the BarSec Droid Android application (Available at: https:// apkpure.com/it/barsec-droid/barcode_security.heider.bsr). These applications adopt symmetric and asymmetric cryptographic mechanisms to generate and read secure and usable barcodes, and make use of the ZXing library [117]. Figure 3 presents the BarSec Droid Android application.
The barcode generator is available only in the BarSec desktop application, and generates barcodes using the JSON structure, as proposed in [116]. It offers various security features that include: barcodes authentication, data integrity, access control, and confidentiality. It provides usability warning messages based on the usability guide presented in [121] and can be used for both generating and reading QR codes.
Both the BarSec Droid Android application and the BarSec desktop application support different digital signature algorithms i.e., RSA and Elliptic Curve Digital Signature Algorithm (ECDSA) with several key lengths, and use SHA-256 as hash function (see Figure 3). They support hash-based message authentication code (HMAC) with different key lengths. In addition, they use Advanced Encryption Standard (AES) with four modes; Cipher Block Chaining (CBC), Output Feedback (OFB), Cipher Feedback (CFB) and Galois/Counter Mode (GCM). These mechanisms have been studied in detail to meet the usability issues presented in [121]. We have also implemented Access Control Lists (ACLs) that allow the generator to have multiple layers of data; i.e., multiple users who have controlled access to data.

Example 1.
As an example of use assume we have a QR code with the ACL that include these tags: public, student and teacher, where:

•
Public tag: contains plain text data; • Student tag: contains a ciphertext that is encrypted with the student key.

•
Teacher tag: contains a ciphertext that is encrypted with the teacher key.
Each tag has authorized users who can access its contents, e.g., a student can read the public tag, and the student tag but not the teacher tag (since students do not have the teacher key). Table 6 summarizes the features of the BarSec Droid application. It uses the JSON structure, and it supports barcodes generated by the BarSec Droid Desktop application, and also barcodes that contain Access Control Lists (ACLs). It can read standard QR codes that do not include cryptographic data and that do not follow specific structures. It checks full URLs contained inside barcodes, and checks their online content using Norton Safe Web service [122].

Experimental Results
We have conducted a user survey to get the user reactions about the BarSec Droid usage, and the level of trust for the provided security information. In order to compare the results with other security apps, we have chosen the most popular and secure QR code reader, i.e., QR Droid Private [7] that belongs to the popular and Crypto-based protection group. We followed the recommended sample size in [123] and conducted a survey with the help of 30 users who were undergraduate students from different colleges. They were asked to scan ten QR codes for each reader. Then, the users completed a survey that was built following the lines of three very popular usability surveys [124][125][126] and a usability survey on secure mobile applications [127]. Our survey includes the following ten points:

•
Overall, I am satisfied with the ease of completing the tasks.

•
Overall, I am satisfied with the amount of time it took to complete the tasks.

•
Overall, I am satisfied with the support information (warnings and details messages).

•
It is flexible? • I would recommend it to a friend. • I can effectively complete the tasks using this application. • I am able to efficiently complete the tasks using this application.

•
How much do you trust the security information in the application? • Overall, I would like to use the application.

•
Is the application visually appealing?
Each point had a five-point scale answer, described as: (1: very unsatisfied to 5: very satisfied). We have followed the answers evaluation method used on [127] by using paired t-test, which is a standard statistical method that compares the mean values of two groups. Paired t-test was used because the survey asked the user to evaluate 2 apps at a time. Table 7 shows the Means (the value before ±), Mean Standard Error ((MSE), the value after ±), and p-value results from participants' feedback for BarSec Droid and QR Droid Private. Note that, in the t-test, when the p-value is less than 0.05, there is a statistically significant difference between two groups [128], and in this case the mean value is marked in bold in the table. According to Table 7, BarSec Droid recorded better answers for easiness of use, security trust, being likely to use, recommended app, effectively and efficiently. On the other hand, QR Droid Private recorded a higher level of support information satisfaction and visually appealing, which reflects the application excellent design and options such as supporting multiple (29) languages. The results of the time of tasks and the flexibility recorded converged values, which reflects that BarSec Droid and QR Droid Private have acceptable time delay and flexible capabilities according to the user feedback.

Conclusions
This paper presents the most comprehensive evaluation for 100 barcode reader applications from a point of view of security and privacy issues. We have categorized these apps according to their features into five groups: URL security, Crypto-based security, Popular, Weak and, Save-privacy applications. Based on our analysis, we have proposed recommendations towards developing usable, secure and privacy-friendly applications and implemented BarSec Droid, a proof of concept Android app that follows our recommendations. Moreover, we have conducted user experiments to assess user experience on our app, compared to the most popular/secure QR code reader app. The results show that applying the design recommendations will increase the user security trust, ease of use alongside with the efficacy and effectiveness of scanning barcodes. As a future work, we plan to extend our analysis to cover more applications i.e., iOS and Windows phone apps. In addition, we plan to evaluate the available security mechanisms of QR code online contents such as: Google safe browsing and Norton Safe Web.