We have a QR code system requirement for our external customers (we offer shipping/air-freight of light
freight/cargo) where the external customers use an app we offerred to scan using their mobile phones
without even log in to the system.
users scan a QR code that we provide which after scanning will launch a url to launch and a call sign,
& will redirect to a page , where user can perform processing such as check-in , uncheck-in , without
login to the system.
Though the operation was performed by the user , from back end, we treat it as performed by
“System”, and we don’t track who is really doing this job.
the data inside the qr code will be our freight system's url (eg: https;//abcfreight.com/...
the freight's call sign will be in format like SC3727G, SB0681D ie the URL will be
There's no personal particulars but we can trace to the customer using the signs
Any cyber concern other than requiring https (SSL) or any security measures that we
are missing here? The data scanned is stored in Oracle database unencrypted.
What's the security at mobile phone's end & any signing of the app required?
Presumably we ought to do penetration testing & code scanning of the app but
that system will also be audited; so what would an auditor look out for in such
QR code scanning process/system?