5

I saw a few questions out there already about ensuring site access comes from QR code scans, but they seemed to be focused on analytics purposes (tracking where traffic was coming from), whereas my interest is in security/privacy.

I want to set up a site that can only be accessed when a provided QR code is scanned. In other words, I don't want the URL that the QR code possesses to be able to just be manually typed/pasted in for site access via other means.

I've been googling this issue for a bit with no luck whatsoever. I'm trying to think of a way with referring URLs or other means to ensure that a person arrived at the site by actually scanning the provided QR code.

EDIT: The solution would need to be scanner-independent as well (i.e. I cannot force users to download and use a specific QR scanner app) and cross-platform (Android + iOS + WinMo + BlackBerry, etc.).

Now I submit the issue to you wonderful folks.

hannebaumsaway
  • 2,644
  • 7
  • 27
  • 37

5 Answers5

2

We got something the same at our company. We provide a link like:

zxing://scan/?ret=http%3A%2F%2Ffoo.com%2Fproducts%2F%7BCODE%7D%2Fdescription&SCAN_FORMATS=UPC_A,EAN_13

Where {CODE} is the code which is returned in the QRCode. So what you can do is create an url like above (see more info for a link). And then put a encrypted data in the QRCode, so only if this url is clicked by the user and the data of the QRcode is correct. People can continue to go on your website. This way if the qrcode is leaked, they won't know the site. And if they know the site, the code is encrypted.

If people scan the barcode by clicking on your website. The zxing will open a new browser with the URL and the {CODE} filled with the scanned code.

But, people do need the barcode scanner from android or iphone.

More info:

Niels
  • 48,601
  • 4
  • 62
  • 81
  • Sounds very promising, though I'm not familiar with zebra crossing, so I'll have to dig into the research you provided. Thanks for your reply, you clearly understood my ask! – hannebaumsaway Apr 22 '13 at 14:19
  • Make an a href with a link like above. Download the scanner. Make a QRCode, jobs don. on click on the link the scanner will open and the user will be redirected to the given page. It's that easy ! 1 important think, you can't activate the scanner by Javascript. The user has to manuali click the link for safety reasons in Android. – Niels Apr 22 '13 at 14:21
  • 1
    Does this require XZing to be installed on the users' devices? – Danny Beckett Apr 22 '13 at 14:25
  • Only the scanner. But it's one of the most used scanners for Android. https://play.google.com/store/apps/details?id=com.google.zxing.client.android – Niels Apr 22 '13 at 14:26
  • In that case, -1. I use Barcode Scanner, and wouldn't want to be forced to use something else. Furthermore, this is **completely useless** for iOS/other OS users. – Danny Beckett Apr 22 '13 at 14:26
  • 1
    Good question, @DannyBeckett, thank you for asking. Unfortunately, I would need the solution to be scanner-independent. I'll update the original question accordingly. – hannebaumsaway Apr 22 '13 at 14:29
  • The solution that has to be a complete URL. So the complete URL needs to be in the QRCode otherwise the scanner does not know where to go after scanning. Most QRCode scanners do recornize URLS. The current solution supports to not have the complete URL. – Niels Apr 22 '13 at 14:33
2

You can't ensure that the URL came from scanning the QR code, that isn't possible. QR codes are just a method of encoding text, once the user knows the text they can do whatever they want with it.

You can, however, restrict the usefulness of the QR code so even if it is leaked it isn't useful. If possible, I would start by generating the QR codes on-demand with a random seed and have them expire shortly thereafter. This would make it so even if the QR code were leaked, it wouldn't be useful for very long.

nwellcome
  • 2,279
  • 15
  • 23
1

About the best you can do is set a query string in your QR code. Something like:

http://www.example.com/myapp

Could be changed to something like:

http://www.example.com/myapp/?qrcode=1

This can then be handled in PHP with:

if(!isset($_GET['qrcode'])) die();

The problem with this, of course, though, is that anyone with the URL could simply navigate directly to that URL in their normal web browser.

This isn't something you can prevent, however.

You can also check whether $_SERVER['HTTP_USER_AGENT'] claims to be a mobile phone. Here's another question on the topic.

Community
  • 1
  • 1
Danny Beckett
  • 20,529
  • 24
  • 107
  • 134
  • Would the HTTP_REFERER be able to play here? To check whether or not (within a certain degree of confidence) a visitor came directly from a QR scanner app or another website? – hannebaumsaway Apr 22 '13 at 14:20
  • @praguian Well the `HTTP_REFERER` should be blank. So you could always do `if(!empty($_SERVER['HTTP_REFERER'])) die();` – Danny Beckett Apr 22 '13 at 14:22
  • Exactly what I was alluding to, @DannyBeckett. In your opinion, would that be a viable solution approach? This is something I could research myself as well, but offhand, are there plausible/frequent scenarios in which the HTTP_REFERER could be blank even if a user pasted the URL into a browser manually? Like at the beginning of a session, perhaps? Just trying to think of possible loopholes around this approach. – hannebaumsaway Apr 22 '13 at 14:33
  • 2
    @praguian Yes, that is entirely possible. Essentially, you need to use a **combination** of a few different things. Use a query string, check if the user agent is a mobile, and check that the referer is blank. If **any** of these fails your check, `die();`. – Danny Beckett Apr 22 '13 at 14:35
  • 1
    Thanks Danny, I will give the combo a shot. And to @str's point above about non-mobile devices with a webcam being able to scan QR codes, the site in question is designed for mobile only anyway, so checking the user agent would be a valuable gate as well. I should have specified that in my original question, but that's the easy part so I didn't want to cloud the issue. :) – hannebaumsaway Apr 22 '13 at 14:39
  • Well, ran into a bit of a snag: `HTTP_REFERER` isn't being set, so that isn't helping me decide how the user was likely accessing my site. And `USER_AGENT` wouldn't help if the user manually typed in the URL on his mobile browser (`USER_AGENT` would be the same in that case as if he/she scanned a QR code on the same mobile). Any thoughts on the `HTTP_REFERER` enigma, @DannyBeckett? – hannebaumsaway Apr 24 '13 at 15:49
0

You could add parameters, but ultimately QR codes are just a method of encoding text, so whatever you encode can be typed into a browser if someone knows what's encoded.

Glitch Desire
  • 14,632
  • 7
  • 43
  • 55
0

If you are making post call to any web URL from QR code, then whatever body you are sending with it, will not be visible unless user went through QR scan mode.So by just entering Web URL user will not able to access web URL contents.

nik
  • 1,464
  • 4
  • 18
  • 32