[Please welcome guest bloggers Eric Smith and Nina Kollars. Eric Smith serves as the Chief Information Security Officer (CISO) for a higher ed consortium with membership consisting of Bucknell University, Franklin & Marshall College and Susquehanna University. Nina Kollars is assistant professor of government at Franklin & Marshall college, where her scholarship examines the ways in which individual user creativity affects the development of technology and practices.]
QR (Quick Response) codes—the two-dimensional barcodes designed by the Denso Wave company in 1994—were originally intended to track and inventory millions of parts on assembly lines. Since then, these nearly ubiquitous black and white squares have been applied to an ever-broader range of uses including business cards, patient-tracking systems, and mobile coupon clipping. In order to make use of these codes, the vast majority of consumers utilize smart phone technologies in order to convert the codes into usable information. However, neither Apple’s iOS nor Google’s Android operating systems include a robust native capability to scan and decode printed barcodes. As a result, users of these devices must download third-party applications that will do this work for them.
Research Question and Findings:
Our research question was straightforward: are there privacy and security risks associated with this emerging QR app ecosystem? In an attempt to answer this, we installed and analyzed over twenty of the most popular QR code applications. Our findings suggest that a majority of the most popular QR code readers found in the Apple App and Google Play marketplaces are not passive systems of information routing, but instead capture and transmit additional data about the device and the user back to the application developer. (For full details see our paper.)
Our findings reveal that many smartphone barcode scanning applications represent a significant threat to the privacy and, potentially, security of their users. On both platforms studied, the most popular QR code scanning apps, according to search result rankings were shown to transmit the contents of all scanned QR codes, as well as GPS location data, to a third-party server.