Quishing Prevention: How Can Developers Create Secure QR Scanning Apps?
Written by Austin Dease   
Friday, 12 January 2024

Quishing. the use of QR codes to deliver malicious malware on a victim’s device is on the rise. Besides introducing awareness training, developers can prevent quishing with strong encryption, security warnings, digital signatures, and varied kinds of barcodes.


In September 2023, reports show a 51% increase in such incidents compared to prior months (from January to August). When quishing security is discussed, security measures usually involve phishing awareness training or specialized tools that businesses can implement to protect their assets from hacking. However, a lot can be done in the early app development stages to help prevent quishing incidents.

Security Measures For Safe QR Scanning Applications

In 2020, researchers analyzed 100 QR code applications. They evaluated them through the lens of security and privacy. Based on their findings, they listed 10 suggestions for developers who want to create QR-scanning apps with cybersecurity in mind. According to the researchers, these tactics should increase user trust in the application and make it safer without compromising the user experience or performance of the app.

#1 Support Versatile Barcode Types

To suit different users and contexts, developers have to allow the use of several barcode types within the app. For example, this might include QR codes, Data Matrix, and UPC.This indirectly leads to a safer experience for users because it prevents limitations in the barcode decoding, increases compatibility, and widens the scope of an app.

#2 Show Barcode Format Before Decoding

Displaying the format of the barcode before its decoding prevents you from interpreting the wrong type of barcode. Preview allows users to verify that the code matches their expectations. For example, some barcode formats can conceal executable commands or URLs leading to malicious sites. This measure prevents errors in barcode decoding, making scanning more accurate because there is a lesser chance of misinterpreted or misread QR codes.

#3 Implement URL Checking for Harmful Links

Triple-checking URLs embedded in barcodes is a necessary security feature to detect malicious links. Analyze them to confirm that the web addresses are safe and legitimate. As a result, URL checking prevents users from installing malware on their devices or accessing harmful content or sites designed to steal their personal or sensitive data.

#4 Add Security Notifications

Users can’t recognize the malicious QR codes or sites themselves. Make sure they receive a warning not to access potentially damaging sources before they result in illicit access or installed malware. One such type of notification is a browser alert, which helps users to recognize potentially malicious sites. Security warnings help users make more informed decisions as they use your app.

#5 Implement Strong Encryption

Use strong encryption for barcode content to keep information safe and to form another layer of cybersecurity protection. Security-wise, this is important for setting up access controls — not granting entrance to anyone who doesn’t have decryption keys. Privacy-wise, this is integral for keeping the user’s sensitive data confidential. Considering that barcodes are continually shared across networks, it’s integral that the shared data is unreadable in case it gets intercepted and falls into the wrong hands.

#6 Apply Digital Signatures

Reliable digital signature services are necessary for the verification of the barcode generator. It authenticates the sources of the code and validates its origin — confirming that the person or entity that created the code can be trusted. At the end of scanning, it ensures non-repudiation of data, makes certain that the information within the barcode data is trustworthy, and also confirms that the source is legitimate.

#7 Enforce Least Privilege Permissions

Limit permissions to only those functionalities that are essential for the app — such as access to the camera and internet usage. Implement least privilege permissions. For example, camera permissions should be limited to scanning barcodes and internet access for URL verification only. This aspect is important for the privacy of users who have the app on their devices. They should know that your app doesn't access their private files.

#8 Make an Intuitive Interface

Not all users are tech-savvy. Make sure that your interface is simple to use and that it features only basic functionality. Simplicity is important for security because it minimizes the chance that users will make errors that will lead to their devices being compromised.

#9 Block Code Execution

To prevent unauthorized activity, block the execution of any encoded code or commands on the user’s devices. This contributes to security against infected code that might result in malicious scripts or malware running on user machines. They can result in exploits such as:

  • Injection attacks

  • Remote code execution

  • Malware attacks

  • Unauthorized access

#10 Draft Additional Resources

Awareness training is the common method to prevent phishing. Create guidelines that teach users how to safely use your app and reduce the chance of scanning malicious QR codes. Different tutorials and manuals can help them recognize the signs of quishing or detect other security pitfalls. It can also help them understand how hackers misuse apps such as yours.

Collaborating With Security Professionals to Prevent Quishing

Best security practices are often hyper-focused on how users can be careful when scanning codes in the inbox or precautions they can take when opening QR code-based menus in restaurants. Suggestions mentioned here focus on designing QR code applications with exploits such as quishing in mind. They remind us why it’s important that developers and security experts collaborate in the early stages of app development. And why it matters that developers think like security professionals. More often than not, these two roles are isolated — meaning security comes later, as an afterthought, sometimes at the point when users already installed the QR scanning app on their phones.


Related Articles

Using ABAC To Secure Your Applications

Endpoint Security for Development Environments

Web Service Security: What You Should Know

Six Tools To Protect Your Web Applications


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.



Love Learning With Udacity

To celebrate Valentine's Day, Udacity has a one-week promotion for new subscribers with 40% of the first month's payment. This seems like a good incentive for trying it out. Here we look at four cours [ ... ]

A Programming Career - Insights From JetBrains

Why did  you choose to become a software developer? Did you switch from another career field? What aspects of your job are the most important? And do you code on weekends? See how your answers re [ ... ]

More News

raspberry pi books



or email your comment to: comments@i-programmer.info




Last Updated ( Friday, 12 January 2024 )