Quishing Prevention: How Can Developers Create Secure QR Scanning Apps? |
Written by Austin Dease |
Friday, 12 January 2024 |
Quishing. the use of QR codes to deliver malicious malware on a victim’s device is on the rise. Besides introducing awareness training, developers can prevent quishing with strong encryption, security warnings, digital signatures, and varied kinds of barcodes. In September 2023, reports show a 51% increase in such incidents compared to prior months (from January to August). When quishing security is discussed, security measures usually involve phishing awareness training or specialized tools that businesses can implement to protect their assets from hacking. However, a lot can be done in the early app development stages to help prevent quishing incidents. Security Measures For Safe QR Scanning ApplicationsIn 2020, researchers analyzed 100 QR code applications. They evaluated them through the lens of security and privacy. Based on their findings, they listed 10 suggestions for developers who want to create QR-scanning apps with cybersecurity in mind. According to the researchers, these tactics should increase user trust in the application and make it safer without compromising the user experience or performance of the app. #1 Support Versatile Barcode TypesTo suit different users and contexts, developers have to allow the use of several barcode types within the app. For example, this might include QR codes, Data Matrix, and UPC.This indirectly leads to a safer experience for users because it prevents limitations in the barcode decoding, increases compatibility, and widens the scope of an app. #2 Show Barcode Format Before DecodingDisplaying the format of the barcode before its decoding prevents you from interpreting the wrong type of barcode. Preview allows users to verify that the code matches their expectations. For example, some barcode formats can conceal executable commands or URLs leading to malicious sites. This measure prevents errors in barcode decoding, making scanning more accurate because there is a lesser chance of misinterpreted or misread QR codes. #3 Implement URL Checking for Harmful LinksTriple-checking URLs embedded in barcodes is a necessary security feature to detect malicious links. Analyze them to confirm that the web addresses are safe and legitimate. As a result, URL checking prevents users from installing malware on their devices or accessing harmful content or sites designed to steal their personal or sensitive data. #4 Add Security NotificationsUsers can’t recognize the malicious QR codes or sites themselves. Make sure they receive a warning not to access potentially damaging sources before they result in illicit access or installed malware. One such type of notification is a browser alert, which helps users to recognize potentially malicious sites. Security warnings help users make more informed decisions as they use your app. #5 Implement Strong EncryptionUse strong encryption for barcode content to keep information safe and to form another layer of cybersecurity protection. Security-wise, this is important for setting up access controls — not granting entrance to anyone who doesn’t have decryption keys. Privacy-wise, this is integral for keeping the user’s sensitive data confidential. Considering that barcodes are continually shared across networks, it’s integral that the shared data is unreadable in case it gets intercepted and falls into the wrong hands. #6 Apply Digital SignaturesReliable digital signature services are necessary for the verification of the barcode generator. It authenticates the sources of the code and validates its origin — confirming that the person or entity that created the code can be trusted. At the end of scanning, it ensures non-repudiation of data, makes certain that the information within the barcode data is trustworthy, and also confirms that the source is legitimate. #7 Enforce Least Privilege PermissionsLimit permissions to only those functionalities that are essential for the app — such as access to the camera and internet usage. Implement least privilege permissions. For example, camera permissions should be limited to scanning barcodes and internet access for URL verification only. This aspect is important for the privacy of users who have the app on their devices. They should know that your app doesn't access their private files. #8 Make an Intuitive InterfaceNot all users are tech-savvy. Make sure that your interface is simple to use and that it features only basic functionality. Simplicity is important for security because it minimizes the chance that users will make errors that will lead to their devices being compromised. #9 Block Code ExecutionTo prevent unauthorized activity, block the execution of any encoded code or commands on the user’s devices. This contributes to security against infected code that might result in malicious scripts or malware running on user machines. They can result in exploits such as:
#10 Draft Additional ResourcesAwareness training is the common method to prevent phishing. Create guidelines that teach users how to safely use your app and reduce the chance of scanning malicious QR codes. Different tutorials and manuals can help them recognize the signs of quishing or detect other security pitfalls. It can also help them understand how hackers misuse apps such as yours. Collaborating With Security Professionals to Prevent QuishingBest security practices are often hyper-focused on how users can be careful when scanning codes in the inbox or precautions they can take when opening QR code-based menus in restaurants. Suggestions mentioned here focus on designing QR code applications with exploits such as quishing in mind. They remind us why it’s important that developers and security experts collaborate in the early stages of app development. And why it matters that developers think like security professionals. More often than not, these two roles are isolated — meaning security comes later, as an afterthought, sometimes at the point when users already installed the QR scanning app on their phones. Related ArticlesUsing ABAC To Secure Your Applications Endpoint Security for Development Environments Web Service Security: What You Should Know Six Tools To Protect Your Web Applications To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.
Comments
or email your comment to: comments@i-programmer.info
|
Last Updated ( Friday, 12 January 2024 ) |