Security Overview

QR Code
Safety Guide

What's actually dangerous, what isn't, and how to scan with confidence.

The Core Concept

Scanning a QR code is generally safe by itself — it simply decodes a string of data and leaves any consequential action to you. The danger lies in what happens after scanning: if a QR code contains a malicious URL, the threat is in actually opening that URL, not the decoding itself.

Your goal: maximize the gap between scan and action.

A few edge cases do blur this line:

  • Some scanner apps automatically open decoded URLs, removing your chance to review them first.
  • Non-HTTP URI schemes — WIFI:, tel:, sms: — can trigger system actions with little or no confirmation.
  • Malformed QR payloads could theoretically exploit parser bugs in the scanner software itself. In practice this appears limited to lab research, but keeping your app updated reduces exposure.

The risk from scanning alone is low but not zero — it depends heavily on how automated your scanning software is.

Attack Surface Overview

Scenario
Risk from scan alone
Notes
Malicious URL encoded in QR
Safe
Only dangerous if you manually open it
Scanner auto-opens URLs
Caution
Collapses the scan-to-action gap entirely
Parser exploit in scanner app
Caution
Theoretical lab research; impractical in the real world
WIFI: URI scheme
Risk
Deliberate feature used as a tricky vector for MITM
Deep links / custom app URIs
Caution
Depends on app; can trigger in-app actions
SMS / tel: URIs
Caution
Usually requires confirmation tap; still verify
vCard / calendar injection
Caution
Can plant fake contacts (e.g. fraudulent bank number)

Safe Scanning Workflow

Step 1
Does your scanner show decoded content before acting?
❌ No → Switch apps
Step 2
Does the URL/content look legitimate? Check domain spelling carefully.
❌ Suspicious → Abort
Step 3
Is it a URL shortener? (bit.ly, t.co, tinyurl…)
⚠ Yes → Expand first
Step 4
Is it a non-HTTP scheme? (WIFI:, tel:, sms:, custom://)
⚠ Yes → Extra scrutiny
Step 5
All clear — open in a secure, up-to-date browser.
✓ Proceed

Recommended Scanners

iOS
Built-in Camera
Shows a banner preview and requires a tap before opening. Sandboxed and regularly updated by Apple.
✓ Recommended
Android
Binary Eye
Open source, minimal, shows decoded content first. Available on F-Droid and Play Store. Auditable code.
✓ Open Source
Android
Google Lens
Generally previews before acting. Behavior varies by device manufacturer — test your specific device.
~ Verify settings
Desktop
zbar / offline tools
Decode-and-display only. Photograph the QR and run through an offline decoder to avoid any network calls.
✓ Most conservative

Key Habits

  • Use a scanner that previews the decoded content and asks before acting.
  • Be skeptical of QR codes in unexpected places — watch for stickers placed over legitimate codes.
  • Verify the domain spelling — look for subtle typosquatting (paypa1.com).
  • Expand shortened URLs via urlex.org or unshorten.me before visiting.
  • Treat non-URL actions (Wi-Fi joins, contact imports) with extra caution — they can execute with little or no confirmation. Only scan codes from sources you trust.
  • Disable auto-join for Wi-Fi QR codes unless you configured the network yourself.
  • Turn off "auto-open URLs" in your scanner app's settings if the option exists.
  • Keep your scanner app and OS fully updated to patch parser vulnerabilities.
  • Avoid ad-supported "QR Scanner" apps from unknown Play Store developers.
QR Security Overview · Scanning itself is almost always safe · The real risk is in automatic actions that follow