Skip to main content
SpringerLink
Log in

If You’re Scanning This, It’s Too Late! A QR Code-Based Fuzzing Methodology to Identify Input Vulnerabilities in Mobile Apps

  • Conference paper
  • First Online:
Applied Cryptography and Network Security Workshops (ACNS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13907))

Included in the following conference series:

  • 461 Accesses

Abstract

In recent years, QR (Quick Response) codes have gained popularity in facilitating information sharing with camera-equipped devices like smartphones and tablets. This technology is suitable for multiple applications, such as verification of COVID-19 vaccination, multi-factor authentication, or ease URL and contact sharing. Despite its huge adoption, security researchers have mainly focused on using QR codes as a vector for phishing attacks, exploiting the simplicity of hiding malicious URLs in a not human-readable format. However, this is just the tip of the iceberg of the potential QR codes have in being a suitable vector for cyberattacks.

In this paper, we design a fuzzing-based methodology to discover bugs and vulnerabilities in mobile applications receiving inputs from QR codes. Our framework is suitable for many different application categories, and it is highly flexible in handling various behavior of the apps before and after the scan takes place. We implemented our methodology in a toolkit, QRFuzz, which enables testing multiple codes in an automated way, looking for crashes, errors, and abnormal behaviors in applications. In our first experiment, we tested 20 popular Android apps with a dictionary of strings containing symbols, weird ASCII characters, and known malicious payloads. Our tests on about two thousand payloads showed that our tool correctly scanned almost all the given codes. During our first testing, we found a crash on a popular social application with over 1 billion downloads and on the official Italian COVID-19 vaccination verification app. To the best of our knowledge, this is the first framework enabling the fuzzing of applications via QR codes. We open-sourced QRFuzz\(^1\) so that other researchers can tackle the issue and developers can independently identify bugs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Github repository: https://github.com/spritz-group/QRFuzz

References

  1. Android Developers: UI/Application Exerciser Monkey. https://developer.android.com/studio/test/other-testing-tools/monkey

  2. Averin, A., Zyulyarkina, N.: Malicious QR-Code threats and vulnerability of blockchain. In: 2020 Global Smart Industry Conference (GloSIC), pp. 82–86 (2020). https://doi.org/10.1109/GloSIC50886.2020.9267840

  3. Cao, C., Gao, N., Liu, P., Xiang, J.: Towards analyzing the input validation vulnerabilities associated with android system services. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 361–370 (2015)

    Google Scholar 

  4. DroidPilot Team: DroidPilot. https://droidpilot.wordpress.com/

  5. Fioraldi, A., Maier, D., Eißfeldt, H., Heuse, M.: AFL++: combining incremental steps of fuzzing research. In: 14th USENIX Workshop on Offensive Technologies (WOOT 20) (2020)

    Google Scholar 

  6. Foundation, J.: Appium.io (2022). https://appium.io/

  7. fuff: Fuzz Faster U Fool (2023). https://github.com/ffuf/ffuf

  8. Gao, Z., Zhai, G., Hu, C.: QR-Code structure image. In: The Invisible QR Code (2015). https://doi.org/10.1145/2733373.2806398

  9. Garg, G.: QR Code Statistics 2023: Up-To-Date Numbers On Global QR Code Usage. https://scanova.io/blog/qr-code-statistics/

  10. Google: American fuzzy lop (2023). https://github.com/google/AFL, original-date: 2019-07-25T16:50:06Z

  11. Hartlage, C.: CVE Hunting: Fuzzing ZINT. https://www.code-intelligence.com/blog/cve-hunting-with-fuzzing

  12. Homan, J., Breese, J.: QR Code hacking - detecting multiple vulnerabilities in android scanning software. Inf. Syst. (2022). https://proc.conisar.org/2022/pdf/5756.pdf

  13. Juniper Research: QR Code Payments: market forecasts, key opportunities and competitor leaderboard 2022–2026. https://www.juniperresearch.com/researchstore/fintech-payments/qr-code-payments-research-report

  14. Khan, A.G., Zahid, A.H., Hussain, M., Riaz, U.: Security of cryptocurrency using hardware wallet and QR code. In: 2019 International Conference on Innovative Computing (ICIC), pp. 1–10 (2019). https://doi.org/10.1109/ICIC48496.2019.8966739

  15. Kieseberg, P., et al.: Malicious pixels using QR codes as attack vector, pp. 21–38. Springer, Cham (2012). https://doi.org/10.2991/978-94-91216-71-8_2

  16. Li, J., Zhao, B., Zhang, C.: Fuzzing: a survey. Cybersecurity 1(1), 1–13 (2018). https://doi.org/10.1186/s42400-018-0002-y

    Article  Google Scholar 

  17. Liang, C.J.M., et al.: Caiipa: automated large-scale mobile app testing through contextual fuzzing. In: Proceedings of the 20th Annual International Conference on Mobile Computing and Networking, pp. 519–530 (2014)

    Google Scholar 

  18. Meta: Instagram: a photo and video sharing social networking service owned by American company meta platforms. https://play.google.com/store/apps/details?id=com.instagram.android

  19. Ministero della Salute: VerificaC19 App Source Code on Github (2021). https://github.com/ministero-salute/it-dgc-verificaC19-android

  20. Pushkov, A.: Cracking Spotify Codes and making a quest out of it (2020). https://dev.to/ale/cracking-spotify-codes-and-making-a-quest-out-of-it-3jdn

  21. QR Code Tiger: QR Code in Video Games: Providing immersive gaming experience. https://www.qrcode-tiger.com/qr-codes-video-games

  22. Rani, M.M.S., Euphrasia, K.R.: Data security through QR code encryption and steganography. Adv. Comput. Int. J. (ACIJ) 7(1/2), 1–7 (2016)

    Article  Google Scholar 

  23. Ravnås, O.A.V.: Frida: A world-class dynamic instrumentation toolkit for android (2023). https://frida.re/docs/android/

  24. Rieback, M.R., Crispo, B., Tanenbaum, A.S.: Is your cat infected with a computer virus? In: Fourth Annual IEEE International Conference on Pervasive Computing and Communications (PERCOM 2006), pp. 10-pp. IEEE (2006)

    Google Scholar 

  25. Sang Ryu, J., Murdock, K.: Consumer acceptance of mobile marketing communications using the QR code. J. Direct Data Digit. Mark. Pract. 15(2), 111–124 (2013). https://doi.org/10.1057/dddmp.2013.53

    Article  Google Scholar 

  26. Saranya, K., Reminaa, R., Subhitsha, S.: Modern applications of QR-Code for security. In: 2016 IEEE International Conference on Engineering and Technology (ICETECH), pp. 173–177. IEEE (2016)

    Google Scholar 

  27. Schneider, M.A., Wendland, M.F., Akin, A., Sentürk, S.: Fuzzing of mobile application in the banking domain: a case study. In: 2020 IEEE 20th International Conference on Software Quality, Reliability and Security Companion (QRS-C), pp. 485–491 (2020). https://doi.org/10.1109/QRS-C51114.2020.00087

  28. Scholte, T., Robertson, W., Balzarotti, D., Kirda, E.: Preventing input validation vulnerabilities in web applications through automated type analysis. In: 2012 IEEE 36th Annual Computer Software and Applications Conference, pp. 233–243. IEEE (2012)

    Google Scholar 

  29. Shielder: MalQR: a collection of malicious QR codes & barcodes you can use to test the security of your scanners (2022). http://malqr.shielder.com/

  30. Ye, H., Cheng, S., Zhang, L., Jiang, F.: Droidfuzzer: fuzzing the android apps with intent-filter tag. In: Proceedings of International Conference on Advances in Mobile Computing and Multimedia, pp. 68–74. MoMM 2013, Association for Computing Machinery, New York, NY, USA (2013). https://doi.org/10.1145/2536853.2536881

  31. Yong, K.S., Chiew, K.L., Tan, C.L.: A survey of the QR code phishing: the current attacks and countermeasures. In: 2019 7th International Conference on Smart Computing & Communications (ICSCC), pp. 1–5. IEEE (2019)

    Google Scholar 

Download references

Acknowledgements

We would like to thank Omitech S.r.l. for supporting Denis Donadel.

Author information

Authors and Affiliations

  1. Department of Mathematics, University of Padua, Padua, Italy

    Federico Carboni, Mauro Conti, Denis Donadel & Mariano Sciacco

Authors
  1. Federico Carboni
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mauro Conti
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Denis Donadel
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mariano Sciacco
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Denis Donadel .

Editor information

Editors and Affiliations

  1. Singapore University of Technology and Design, Singapore, Singapore

    Jianying Zhou

  2. Radboud University Nijmegen, Nijmegen, The Netherlands

    Lejla Batina

  3. Shandong University of Science and Technology, Qingdao, China

    Zengpeng Li

  4. University of Science and Technology of China, Hefei, China

    Jingqiang Lin

  5. University of Padua, Padua, Italy

    Eleonora Losiouk

  6. Concordia University, Montreal, QC, Canada

    Suryadipta Majumdar

  7. Illinois at Singapore Pte Ltd., Singapore, Singapore

    Daisuke Mashima

  8. Technical University Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  9. Radboud University Nijmegen, Nijmegen, The Netherlands

    Stjepan Picek

  10. Florida International University, Miami, FL, USA

    Mohammad Ashiqur Rahman

  11. Zhejiang Gongshang University, Hangzhou, China

    Jun Shao

  12. SECOM Co., Ltd., University of Tsukuba, Tokyo / Ibaraki, Japan

    Masaki Shimaoka

  13. Royal Holloway University of London, Egham, UK

    Ezekiel Soremekun

  14. University of Aizu, Aizuwakamatsu, Fukushima, Japan

    Chunhua Su

  15. Universiti Sains Malaysia, Gelugor, Malaysia

    Je Sen Teh

  16. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Aleksei Udovenko

  17. City University of Hong Kong, Hong Kong, Hong Kong

    Cong Wang

  18. Griffith University, Southport, QLD, Australia

    Leo Zhang

  19. Delft University of Technology, Delft, The Netherlands

    Yury Zhauniarovich

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Carboni, F., Conti, M., Donadel, D., Sciacco, M. (2023). If You’re Scanning This, It’s Too Late! A QR Code-Based Fuzzing Methodology to Identify Input Vulnerabilities in Mobile Apps. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2023. Lecture Notes in Computer Science, vol 13907. Springer, Cham. https://doi.org/10.1007/978-3-031-41181-6_30

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-41181-6_30

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-41180-9

  • Online ISBN: 978-3-031-41181-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation