QR codes: Finding the balance between user experience and security

Quick response (QR) codes are rising in popularity and use worldwide because they make life easier in a touchless world. QR codes are now regularly used at restaurants, retailers, doctor's offices, ATMs, gas stations, airports, and even hiking trails. They are plastered on menus, display ads, financial statements, consumer packages, trail signs, etc.

From a consumer perspective, it's straightforward to grab your mobile device, scan a QR code, and then do whatever that QR code wants your device to do. For example, if you're at a restaurant, you might scan a QR code to see the menu. Or at the end of your meal, you might scan a QR code to pay your bill.

Why should organizations be concerned about their employees interacting with QR codes at restaurants and other locations? By design, QR codes cause quick actions to take place. For example, scanning a QR code can make it easy to open a web browser, install code, launch an application, make a payment, and more. And by nature, QR codes are not human readable. Therefore, the ability to alter a QR code to point to an alternative resource without being detected is simple and highly effective.

In iOS 14, one of Apple’s coolest and most convenient innovations is the introduction of App Clips (similar to Google’s Android Instant Apps). App Clips and Instant Apps are mini apps that are under 10MB in size and can begin running on the device without being installed. All you do is scan a QR code or NFC tag with your smartphone, and the mini app starts instantly; you log in through Sign In, pay through Apple or Google Pay, and hurry off to whatever you're doing.

For security professionals, the very idea of running something without installation sounds a little suspicious to begin with. Security professionals recommend doing the essential diligence, such as researching the developer’s reputation, reading user reviews, and scanning the downloaded file with antivirus software, before installing anything. These are all sacrificed for speed and convenience when using App Clips and Instant Apps. These are amazing innovations that make our lives significantly more convenient, but keep in mind that new app launch mechanisms have been implemented to bypass the conventional installation procedure for these apps to work. Cybercriminals could exploit flaws in these mechanisms. For example, security researcher RonnyXing’s 2019 article about practical ways to attack instant apps highlights these potential vulnerabilities. RonnyXing demonstrates that Instant Apps are vulnerable to information leakage, identity theft, and account hijacking. According to RonnyXing’s report, up to 60% of Android devices are predisposed to this type of attack.

And the more prevalent QR codes become in our lives and the more accustomed we become to interacting with them, the easier it becomes for hackers to cause damage. For example, think about when you go to a restaurant and see that magic QR code just placed on your table or taped to your table. How do you know a legitimate QR code that the restaurant wants you to scan and not a malicious QR code that a hacker just put there?

A hacker could have easily just replaced the legitimate QR code on the table with a malicious one. Instead of taking you to a menu, the malicious QR code might ask you to download an application after you scan it. And you are probably going to download the app because you've done that before many times. Before you know it, you've got a leaky or malicious app on your device that is collecting significant amounts of personal data, which in turn could be used to target corporate networks.

Or, the QR code might take you to a phishing site. This is the easiest way to manipulate a QR code. Continuing with the restaurant scenario, scanning a QR code on your table might take you to a fake landing page that looks like the restaurant's website. The website might ask for your username, password, and credit card number. Include a disclaimer that this information is necessary to automate the entire ordering process from looking at the menu to placing your order to completing payment. If you enter this information, the hackers will have your credentials and more. The Twitter hack is a perfect example of how easy it is for hackers to spoof a landing page.

People have become so relaxed to scanning QR codes that they are often not thinking about the subsequent results. And even those who do have privacy, security, financial or other concerns about scanning QR codes often choose to scan them anyway. A recent MobileIron study found that more than half (51%) of respondents have concerns about using QR codes and still choose to scan them anyway.

Many consumers also lack security on their mobile devices that they are using to scan QR codes, putting themselves and businesses at risk. MobileIron's study found that 51% of respondents do not have or do not know if they have security software installed on their mobile devices.

This is all very concerning as I expect we'll soon see an onslaught of attacks via QR codes. Hackers are already capitalizing on security gaps during the COVID-19 pandemic and increasingly targeting mobile devices with phishing attacks. And QR codes are so easy for hackers to exploit that even a successful attack at a small scale is worth the effort.

So, how can organizations ensure that their employees are protected? Most importantly, mobile security needs to be a top priority in every organization. With more employees relying on mobile devices in their personal and professional lives, organizations urgently need to bolster their mobile security capabilities without impacting the end-user experience.

Organizations should first enroll their employees' mobile devices in unified endpoint management (UEM) solution to ensure that only trusted devices, apps, and users can access enterprise resources. With MobileIron UEM, organizations can easily onboard both BYOD and corporate-issued devices over-the-air.

Organizations should then build upon UEM with a mobile threat defense solution to detect and remediate mobile threats, including malicious QR codes. MobileIron Threat Defense can protect devices from attacks waged at the device, network and application level, even when a device is offline. And at the time of enrollment, you can provision a secure workspace on the device, using either Apple device management or Android Enterprise profiles, separate from the personal space to ensure you are safeguarding the user's privacy, while maintaining control over business data.

Overall, I believe QR codes are incredibly useful and make life easier in a contactless world. They are crucial in helping to ensure everyone's health and safety during the COVID-19 pandemic. The key thing to remember is that we need to find the balance between ease of use and security.

Right now, most people are focusing heavily on the benefits of QR codes, but we absolutely need to think about the security implications of them as well. The good news is that MobileIron puts the user experience at the center of mobile security. Layered together, MobileIron's solutions can provide seamless and secure experiences.

To learn more, contact a MobileIron sales representative. And be sure to listen to the full MobileIron Musings episode with Alex below and subscribe for more.

Alex Mosher

Alex Mosher

Global Vice President of Solutions

About the author

Alex Mosher, is Global Vice President, Solutions, at MobileIron. In his role, Mosher is responsible for MobileIron’s go-to-market plan and aligning mobile, security, and cloud solution strategy with execution.

Before joining MobileIron he spent 12 years at CA Technologies – responsible for CA's $1.4B+ cybersecurity business strategy and go-to-market plan. In his last role with CA Technologies, Alex was a global vice president responsible for all sales and go-to-market integration of CA's $612 million acquisition of Veracode, which was sold to Thoma Bravo just 16 months later for $965M.

Today, Alex leads a global team that works to develop and implement action plans that enable customers to take control of security, identities, access, and information across platforms and devices. As a 20-year information technology industry veteran, he has amassed hands-on experience in virtually every aspect of the business, including sales and marketing, development, and deployment services.