Secure QR scans with the SEQR App — Draft
Dhiway’s SEQR App — a security focused quick and easy QR Code scanner is now available on Google Play and App Store. The SEQR app is designed to reveal what is behind the QR and helps you conduct transactions with absolute certainty. The app alerts you to suspicious content & flagged websites to ensure your transaction’s safety and security. The app is free to download and use.
Feature set
SEQR features a fast and accurate QR Code scanner which analyses decoded content in near real time. The app strives to keep you safe by bubbling up security features & risks of the QR Codes you scan. This is done by running a number of security checks on the decoded content. The app flags malware, phishing links, incorrectly configured websites.
For the content determined to be safe and valid, it provides a 1-step action to use payment, website, advertisements, products, contact, business cards, telephone, SMS, email, calendar, location maps, restaurant menus and more.
The app has been designed from the ground up to be privacy friendly. A searchable activity log, which stores “scan history” along with basic metadata locally is a very useful tool for reviewing QR scans made in the past.
Bridging a gap
A previous post discussed how most of us conduct transactions after scanning QR codes, without paying much attention to the safety of the QR code content. An indicative survey backed by anecdotal evidence suggests that the empirical facts are indeed true.
Among current Human-Computer Interface trends, QR code scans are somewhat unique, in that the content wrapped in the QR codes are mostly consumed as actions by web browsers and other applications. The user experience tuned to minimize transaction time and focus on completion of workflows, ensures that most of us do not pay much attention to the QR code content.
According to several academic and industry studies, security attacks leveraging QR codes as the attack vector are highly prevalent.
“In September 2011, Kaspersky Lab detected a first-of-its-kind malicious QR code. The attack method used in the QR code was that when a user scans the code he is directed towards a website and then a malicious file downloads in the user’s device without the knowledge of the user.” [1]
This is compounded by the possibilities of damage such malware can unleash on unsuspecting users.
“the maximum binary data that a QR code can hold is roughly 2.9KB. The infamous Slammer worm that destroyed millions of computers in the year 2003 was just 376 bytes in size.” [2]
The havoc such an exploit could create is a nightmarish scenario, especially when there is no clear way of differentiating malicious payloads from clean ones. Every QR code, be it payments related, advertisements, webinar posts will be suspect; resulting in the usefulness of QR codes coming into question.
The biggest lacunae, so far, in the QR code scanner ecosystem, has been called out here -
“that most QR code readers do not provide feasible tools to auto- matically detect attacks and to minimize the impact on the user’s privacy and security. “[3]
The paragraphs below which bring out missing functionalities in most of the existing QR code readers, are a recurring theme across academic studies.
Content Preprocessing. In case of shortened URLs or redirects, simply displaying the encoded content does not provide enough information for the user to deter- mine whether the encoded content is malicious or benign … Therefore we emphasize the need for usable content preprocessing tools. Short- ened URLs e.g. could be executed in the background in order to display the final URL to the user.
Anti-Phishing Tools. As discussed in Section 3, one of the major problems of manipulated QR codes is phishing. Zhang et al. … evaluated different Anti- Phishing solutions that can be further used in QR code reader software. In context of usability it is important that the verification process is transparent to the user. However similar to SSL [5,38,43] the main challenge is to properly inform the user about an incident... [3]
Dhiway’s SEQR app addresses this gap among the available QR code scanners. By lifting the veil over the QR code and analyzing by passing the decoded content through numerous security filters, the SEQR app finally puts control back in the hands of the user, without compromising on the speed and ease of use of QR codes.
Expect more enhancements in the near future, that makes you a better informed user of QR codes.
Why are we doing this?
Dhiway’s objective is to “build trust ecosystems connected to real world events”. The free SEQR app is the first of its initiatives to develop information exchanges that promote secure & trusted transactions.
While the SEQR app covers a very wide gap that currently exists in the QR reader ecosystem, there are other obvious hard problems that could throw a spanner in the way consumers and businesses use QR codes.
With several governments across the world mandating the usage of QR codes to build automated governance tools and bring in wider transparency, the concerns around QR code security are bound to increase significantly.
At Dhiway, we’re building systems and tools for enterprises to deploy, manage and monitor QR codes in their businesses.
We’ll be right back. In the meantime, please do send us your feedback about the SEQR app.
References
[1] http://www.ijcst.org/Volume3/Issue7/p13_3_7.pdf
[2]https://www.academia.edu/1864785/A_Study_of_Malicious_QR_Codes
[3]https://ioactive.com/wp-content/uploads/2012/05/QR_Code_Security.pdf
