Secure and usable QR codes

Abstract

Barcode is a universal technology that provides visual data representation using series of horizontal lines (1D), or matrix of squares and dots (2D), organized in a specific standard way. Barcodes are represented as images that can store data with various data types and sizes, used to identify the object that carries the barcode. In the literature, there is no standard mechanism for providing authenticity and confidentiality of the barcode content. Attacks such as the malicious links encoding are realistic and feasible in practice.

In this work, we present a comparative study of 2D barcodes’ threats and the available protection mechanisms. We highlight the limitations of these mechanisms, and explore their security capabilities. Moreover, we suggest practical solutions based on the recommendations from the European Union Agency for Network and Information Security (ENISA).

For what concerns usability, we present the first systematic study of usable cryptographic primitives inside QR codes. We have performed extensive experiments to analyze the factors that affect the barcodes usability, by developing a barcode reader application that collects the users’ feedback. We have analyzed scanning time, data size, image size and users’ feedback. Based on ISO 9241, we have defined Barcode Usability Score (BarScore) an observable and quantifiable value that represents the overall usability, by calculating the average of effectiveness, efficiency and satisfaction. We have built a barcode usability guidance for recommended image and data sizes under different usability levels. Then, we have implemented a systematic secure/usable QR code generator and compared the digital signature and encryption mechanisms based on usability and security. The obtained results show that QR codes can support powerful, usable and secure solutions.

Finally, we present a comprehensive review of barcode reader applications by analyzing their properties. We categorize these apps into four groups; URLs security, Crypto-based security, Save-privacy and Other popular applications. We also highlight their weaknesses and present design recommendations for usable, secure and privacy-guaranteed scanner applications. We have developed a proof-of-concept Android reader app that follows our recommendations, and performed a user usability and security survey. The results show that when following the design tips, user’s security awareness and usability increase.