Security Overview

QR Code
Safety Guide

What's actually dangerous, what isn't, and how to scan with confidence.

The Core Concept

Scanning a QR code is generally safe by itself — it simply decodes a string of data. The danger lies in what happens after scanning; if a QR code contains a malicious URL, the threat is in actually opening that URL, not the decoding itself.

Your goal: maximize the gap between scan and action.

Attack Surface Overview

Scenario
Risk from scan alone
Notes
Malicious URL encoded in QR
Safe
Only dangerous if you manually open it
Scanner auto-opens URLs
Caution
Collapses the scan-to-action gap entirely
Parser exploit in scanner app
Caution
Theoretical lab research; impractical in the real world
WIFI: URI scheme
Risk
Deliberate feature used as a tricky vector for MITM
Deep links / custom app URIs
Caution
Depends on app; can trigger in-app actions
SMS / tel: URIs
Caution
Usually requires confirmation tap; still verify
vCard / calendar injection
Caution
Can plant fake contacts (e.g. fraudulent bank number)

Safe Scanning Workflow

Step 1
Does your scanner show decoded content before acting?
❌ No → Switch apps
Step 2
Does the URL/content look legitimate? Check domain spelling carefully.
❌ Suspicious → Abort
Step 3
Is it a URL shortener? (bit.ly, t.co, tinyurl…)
⚠ Yes → Expand first
Step 4
Is it a non-HTTP scheme? (WIFI:, tel:, sms:, custom://)
⚠ Yes → Extra scrutiny
Step 5
All clear — open in a secure, up-to-date browser.
✓ Proceed

Recommended Scanners

iOS
Built-in Camera
Shows a banner preview and requires a tap before opening. Sandboxed and regularly updated by Apple.
✓ Recommended
Android
Binary Eye
Open source, minimal, shows decoded content first. Available on F-Droid and Play Store. Auditable code.
✓ Open Source
Android
Google Lens
Generally previews before acting. Behavior varies by device manufacturer — test your specific device.
~ Verify settings
Desktop
zbar / offline tools
Decode-and-display only. Photograph the QR and run through an offline decoder to avoid any network calls.
✓ Most conservative

Key Habits

  • Use a scanner that previews the decoded content and asks before acting.
  • Be skeptical of QR codes in unexpected places — watch for stickers over legitimate codes.
  • Verify the domain spelling — look for subtle typosquatting (paypa1.com).
  • Expand shortened URLs via urlex.org or unshorten.me before visiting.
  • Disable auto-join for Wi-Fi QR codes unless you set up the network yourself.
  • Turn off "auto-open URLs" in your scanner app's settings if the option exists.
  • Keep your scanner app and OS fully updated to patch parser vulnerabilities.
  • Avoid ad-supported "QR Scanner" apps from unknown Play Store developers.

Is Scanning Itself Safe?

Scanning a QR code is generally safe by itself — it simply decodes a string of data and leaves any consequential action to the user. The real danger is usually what happens after scanning; if a QR code contains a malicious URL, the threat lies in actually opening that URL, not in the scanning or decoding itself.

That said, a few edge cases blur that line:
  • Some scanner apps automatically open decoded URLs, removing the user's choice entirely.
  • Non-HTTP URI schemes (e.g., Wi-Fi network configs) can trigger actions without confirmation — automatic Wi-Fi joining is a legitimate feature but also a tricky attack vector.
  • Malformed QR payloads could theoretically exploit vulnerabilities in scanner software, making the decode step itself an attack surface. In practice, this appears limited to lab research and requires a highly specific exploit, making it largely impractical for real-world attackers.

Overall, the risk from scanning alone is low but not zero, and depends heavily on how automated your scanning software is.

How to Reduce Your Risk

  • Use a scanner that previews decoded content and prompts before acting, rather than one that auto-opens URLs.
  • Keep your scanner app and OS updated to minimize exposure to parser vulnerabilities.
  • Be skeptical of QR codes in unexpected locations — stickers placed over legitimate codes are a known physical-world attack vector.
  • Verify that URLs look legitimate before tapping through; watch for typosquatting and misleading domains.
  • Treat non-URL actions (Wi-Fi joins, contact imports) with extra caution — they can execute with little or no confirmation. Only scan codes from sources you trust.
QR Security Overview · Scanning is almost always safe · The risk is in automatic actions that follow