Using a QR code securely

Question

All, I'm going to use a QR code from the following URL: http://qrcode.kaywa.com/

I want to use the URL option so when someone scans it they are sent to the URL that I specified on the code. I want to have something like the following URL: http://www.website.com/web-page/?type=uplights&action=checkout

Based on the variables in the URL I want to allow my user to insert some data.

Is there a way to secure this do that I know a user got to this URL from scanning the QR code instead of just typing that information into the URL?

Thanks!

Anirudh Ramanathan · Accepted Answer

Short Answer: Not directly. QR codes were not designed to keep content stored within it secret. Someone could use a QR reader to scan your URL, store it and keep using it over and over again, without actually scanning it again.

One way we used to circumvent this issue was to encrypt our URL such that our own application (Based on ZXing) would be the only one capable of reading our QR code. It then sends the actual request with a nonce over a secure channel such that a replay attack would also be rendered useless (in case someone was sniffing outbound connections). All other readers see the encrypted URL which isn't of any use.

Other than that, there isn't another way of ensuring the user actually does scan your QR and doesn't type it out/paste it in.

The way we implemented this:
We stored the URL as http://www.website.com/app.php?. If someone read our URL a different QR decoder, they would be taken to our app.php page, which urged them to read the QR using our application.

Our app itself, on encountering that URL stripped off the encrypted query-string, decrypted it, and formed its own request to the right page. In PHP, you could execute that request at the server-end itself, so it is never visible to the user. You could use mcrypt as detailed here for encryption.

Using a QR code securely

Answers (2)

Related Questions