Abstract
In recent years, QR (Quick Response) codes have gained popularity in facilitating information sharing with camera-equipped devices like smartphones and tablets. This technology is suitable for multiple applications, such as verification of COVID-19 vaccination, multi-factor authentication, or ease URL and contact sharing. Despite its huge adoption, security researchers have mainly focused on using QR codes as a vector for phishing attacks, exploiting the simplicity of hiding malicious URLs in a not human-readable format. However, this is just the tip of the iceberg of the potential QR codes have in being a suitable vector for cyberattacks.
In this paper, we design a fuzzing-based methodology to discover bugs and vulnerabilities in mobile applications receiving inputs from QR codes. Our framework is suitable for many different application categories, and it is highly flexible in handling various behavior of the apps before and after the scan takes place. We implemented our methodology in a toolkit, QRFuzz, which enables testing multiple codes in an automated way, looking for crashes, errors, and abnormal behaviors in applications. In our first experiment, we tested 20 popular Android apps with a dictionary of strings containing symbols, weird ASCII characters, and known malicious payloads. Our tests on about two thousand payloads showed that our tool correctly scanned almost all the given codes. During our first testing, we found a crash on a popular social application with over 1 billion downloads and on the official Italian COVID-19 vaccination verification app. To the best of our knowledge, this is the first framework enabling the fuzzing of applications via QR codes. We open-sourced QRFuzz\(^1\) so that other researchers can tackle the issue and developers can independently identify bugs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Github repository: https://github.com/spritz-group/QRFuzz
References
Android Developers: UI/Application Exerciser Monkey. https://developer.android.com/studio/test/other-testing-tools/monkey
Averin, A., Zyulyarkina, N.: Malicious QR-Code threats and vulnerability of blockchain. In: 2020 Global Smart Industry Conference (GloSIC), pp. 82–86 (2020). https://doi.org/10.1109/GloSIC50886.2020.9267840
Cao, C., Gao, N., Liu, P., Xiang, J.: Towards analyzing the input validation vulnerabilities associated with android system services. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 361–370 (2015)
DroidPilot Team: DroidPilot. https://droidpilot.wordpress.com/
Fioraldi, A., Maier, D., Eißfeldt, H., Heuse, M.: AFL++: combining incremental steps of fuzzing research. In: 14th USENIX Workshop on Offensive Technologies (WOOT 20) (2020)
Foundation, J.: Appium.io (2022). https://appium.io/
fuff: Fuzz Faster U Fool (2023). https://github.com/ffuf/ffuf
Gao, Z., Zhai, G., Hu, C.: QR-Code structure image. In: The Invisible QR Code (2015). https://doi.org/10.1145/2733373.2806398
Garg, G.: QR Code Statistics 2023: Up-To-Date Numbers On Global QR Code Usage. https://scanova.io/blog/qr-code-statistics/
Google: American fuzzy lop (2023). https://github.com/google/AFL, original-date: 2019-07-25T16:50:06Z
Hartlage, C.: CVE Hunting: Fuzzing ZINT. https://www.code-intelligence.com/blog/cve-hunting-with-fuzzing
Homan, J., Breese, J.: QR Code hacking - detecting multiple vulnerabilities in android scanning software. Inf. Syst. (2022). https://proc.conisar.org/2022/pdf/5756.pdf
Juniper Research: QR Code Payments: market forecasts, key opportunities and competitor leaderboard 2022–2026. https://www.juniperresearch.com/researchstore/fintech-payments/qr-code-payments-research-report
Khan, A.G., Zahid, A.H., Hussain, M., Riaz, U.: Security of cryptocurrency using hardware wallet and QR code. In: 2019 International Conference on Innovative Computing (ICIC), pp. 1–10 (2019). https://doi.org/10.1109/ICIC48496.2019.8966739
Kieseberg, P., et al.: Malicious pixels using QR codes as attack vector, pp. 21–38. Springer, Cham (2012). https://doi.org/10.2991/978-94-91216-71-8_2
Li, J., Zhao, B., Zhang, C.: Fuzzing: a survey. Cybersecurity 1(1), 1–13 (2018). https://doi.org/10.1186/s42400-018-0002-y
Liang, C.J.M., et al.: Caiipa: automated large-scale mobile app testing through contextual fuzzing. In: Proceedings of the 20th Annual International Conference on Mobile Computing and Networking, pp. 519–530 (2014)
Meta: Instagram: a photo and video sharing social networking service owned by American company meta platforms. https://play.google.com/store/apps/details?id=com.instagram.android
Ministero della Salute: VerificaC19 App Source Code on Github (2021). https://github.com/ministero-salute/it-dgc-verificaC19-android
Pushkov, A.: Cracking Spotify Codes and making a quest out of it (2020). https://dev.to/ale/cracking-spotify-codes-and-making-a-quest-out-of-it-3jdn
QR Code Tiger: QR Code in Video Games: Providing immersive gaming experience. https://www.qrcode-tiger.com/qr-codes-video-games
Rani, M.M.S., Euphrasia, K.R.: Data security through QR code encryption and steganography. Adv. Comput. Int. J. (ACIJ) 7(1/2), 1–7 (2016)
Ravnås, O.A.V.: Frida: A world-class dynamic instrumentation toolkit for android (2023). https://frida.re/docs/android/
Rieback, M.R., Crispo, B., Tanenbaum, A.S.: Is your cat infected with a computer virus? In: Fourth Annual IEEE International Conference on Pervasive Computing and Communications (PERCOM 2006), pp. 10-pp. IEEE (2006)
Sang Ryu, J., Murdock, K.: Consumer acceptance of mobile marketing communications using the QR code. J. Direct Data Digit. Mark. Pract. 15(2), 111–124 (2013). https://doi.org/10.1057/dddmp.2013.53
Saranya, K., Reminaa, R., Subhitsha, S.: Modern applications of QR-Code for security. In: 2016 IEEE International Conference on Engineering and Technology (ICETECH), pp. 173–177. IEEE (2016)
Schneider, M.A., Wendland, M.F., Akin, A., Sentürk, S.: Fuzzing of mobile application in the banking domain: a case study. In: 2020 IEEE 20th International Conference on Software Quality, Reliability and Security Companion (QRS-C), pp. 485–491 (2020). https://doi.org/10.1109/QRS-C51114.2020.00087
Scholte, T., Robertson, W., Balzarotti, D., Kirda, E.: Preventing input validation vulnerabilities in web applications through automated type analysis. In: 2012 IEEE 36th Annual Computer Software and Applications Conference, pp. 233–243. IEEE (2012)
Shielder: MalQR: a collection of malicious QR codes & barcodes you can use to test the security of your scanners (2022). http://malqr.shielder.com/
Ye, H., Cheng, S., Zhang, L., Jiang, F.: Droidfuzzer: fuzzing the android apps with intent-filter tag. In: Proceedings of International Conference on Advances in Mobile Computing and Multimedia, pp. 68–74. MoMM 2013, Association for Computing Machinery, New York, NY, USA (2013). https://doi.org/10.1145/2536853.2536881
Yong, K.S., Chiew, K.L., Tan, C.L.: A survey of the QR code phishing: the current attacks and countermeasures. In: 2019 7th International Conference on Smart Computing & Communications (ICSCC), pp. 1–5. IEEE (2019)
Acknowledgements
We would like to thank Omitech S.r.l. for supporting Denis Donadel.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Carboni, F., Conti, M., Donadel, D., Sciacco, M. (2023). If You’re Scanning This, It’s Too Late! A QR Code-Based Fuzzing Methodology to Identify Input Vulnerabilities in Mobile Apps. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2023. Lecture Notes in Computer Science, vol 13907. Springer, Cham. https://doi.org/10.1007/978-3-031-41181-6_30
Download citation
DOI: https://doi.org/10.1007/978-3-031-41181-6_30
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-41180-9
Online ISBN: 978-3-031-41181-6
eBook Packages: Computer ScienceComputer Science (R0)