QR code security

Question

I have been reading a lot about QR codes and how the code itself can lead to serious security risks. But one thing that I did not come across is the following.

In th

Answer 1

This is all easier to reason about if you realize that QR codes simply encode plain text. If your scheme is insecure if you were just dealing in text files or text printed on a wall -- QR codes don't change that. There is no security mechanism in a QR code.

Turning it around -- whatever means are available to secure your scheme, outside of QR codes, can probably be applied here. What you are looking for is a digital signature, the same sort of public/private key scheme used to prove that SSL certs are valid and that emails are from the claimed sender. The data your users need to supply must be signed by you to know they haven't tampered with it.

You can put anything you want in a QR code, including Base-64 encoded bytes representing a signed document. No reader will know what to do with it; you'd have to write a custom app that scans and then knows to decode it and act accordingly.

I do think it's by far easier to conceive a scheme that involves directing a user to a web site you control securely.