Security Overview

QR Code
Safety Guide

What's actually dangerous, what isn't, and how to scan with confidence.

The Core Concept

Scanning a QR code is generally safe by itself — it simply decodes a string of data. The danger lies in what happens after scanning; if a QR code contains a malicious URL, the threat is in actually opening that URL, not the decoding itself.

Your goal: maximize the gap between scan and action.

Attack Surface Overview

Malicious URL encoded in QR

Safe

Only dangerous if you manually open it

Scanner auto-opens URLs

Caution

Collapses the scan-to-action gap entirely

Parser exploit in scanner app

Caution

Theoretical lab research; impractical in the real world

WIFI: URI scheme

Risk

Deliberate feature used as a tricky vector for MITM

Deep links / custom app URIs

Caution

Depends on app; can trigger in-app actions

SMS / tel: URIs

Caution

Usually requires confirmation tap; still verify

vCard / calendar injection

Caution

Can plant fake contacts (e.g. fraudulent bank number)

Safe Scanning Workflow

Step 1

Does your scanner show decoded content before acting?

❌ No → Switch apps

Step 2

Does the URL/content look legitimate? Check domain spelling carefully.

❌ Suspicious → Abort

Step 3

Is it a URL shortener? (bit.ly, t.co, tinyurl…)

⚠ Yes → Expand first

Step 4

Is it a non-HTTP scheme? (WIFI:, tel:, sms:, custom://)

⚠ Yes → Extra scrutiny

Step 5

All clear — open in a secure, up-to-date browser.

✓ Proceed

Recommended Scanners

iOS

Built-in Camera

Shows a banner preview and requires a tap before opening. Sandboxed and regularly updated by Apple.

✓ Recommended

Android

Binary Eye

Open source, minimal, shows decoded content first. Available on F-Droid and Play Store. Auditable code.

✓ Open Source

Android

Google Lens

Generally previews before acting. Behavior varies by device manufacturer — test your specific device.

~ Verify settings

Desktop

zbar / offline tools

Decode-and-display only. Photograph the QR and run through an offline decoder to avoid any network calls.

✓ Most conservative

Key Habits

→ Use a scanner that previews the decoded content and asks before acting.
→ Be skeptical of QR codes in unexpected places — watch for stickers over legitimate codes.
→ Verify the domain spelling — look for subtle typosquatting (paypa1.com).
→ Expand shortened URLs via urlex.org or unshorten.me before visiting.
→ Disable auto-join for Wi-Fi QR codes unless you set up the network yourself.
→ Turn off "auto-open URLs" in your scanner app's settings if the option exists.
→ Keep your scanner app and OS fully updated to patch parser vulnerabilities.
→ Avoid ad-supported "QR Scanner" apps from unknown Play Store developers.

Is Scanning Itself Safe?

Scanning a QR code is generally safe by itself — it simply decodes a string of data and leaves any consequential action to the user. The real danger is usually what happens after scanning; if a QR code contains a malicious URL, the threat lies in actually opening that URL, not in the scanning or decoding itself.

That said, a few edge cases blur that line:

Some scanner apps automatically open decoded URLs, removing the user's choice entirely.
Non-HTTP URI schemes (e.g., Wi-Fi network configs) can trigger actions without confirmation — automatic Wi-Fi joining is a legitimate feature but also a tricky attack vector.
Malformed QR payloads could theoretically exploit vulnerabilities in scanner software, making the decode step itself an attack surface. In practice, this appears limited to lab research and requires a highly specific exploit, making it largely impractical for real-world attackers.

Overall, the risk from scanning alone is low but not zero, and depends heavily on how automated your scanning software is.

How to Reduce Your Risk

→ Use a scanner that previews decoded content and prompts before acting, rather than one that auto-opens URLs.
→ Keep your scanner app and OS updated to minimize exposure to parser vulnerabilities.
→ Be skeptical of QR codes in unexpected locations — stickers placed over legitimate codes are a known physical-world attack vector.
→ Verify that URLs look legitimate before tapping through; watch for typosquatting and misleading domains.
→ Treat non-URL actions (Wi-Fi joins, contact imports) with extra caution — they can execute with little or no confirmation. Only scan codes from sources you trust.