sunhux
asked on
cyber measures for QR code scanning to launch URL to check in/check out for freight
We have a QR code system requirement for our external customers (we offer shipping/air-freight of light
freight/cargo) where the external customers use an app we offerred to scan using their mobile phones
without even log in to the system.
Details:
users scan a QR code that we provide which after scanning will launch a url to launch and a call sign,
& will redirect to a page , where user can perform processing such as check-in , uncheck-in , without
login to the system.
Though the operation was performed by the user , from back end, we treat it as performed by
“System”, and we don’t track who is really doing this job.
the data inside the qr code will be our freight system's url (eg: https;//abcfreight.com/...
the freight's call sign will be in format like SC3727G, SB0681D ie the URL will be
https://abcfreight.com/...SC3727G/...
There's no personal particulars but we can trace to the customer using the signs
SC3727G
Any cyber concern other than requiring https (SSL) or any security measures that we
are missing here? The data scanned is stored in Oracle database unencrypted.
What's the security at mobile phone's end & any signing of the app required?
Presumably we ought to do penetration testing & code scanning of the app but
that system will also be audited; so what would an auditor look out for in such
QR code scanning process/system?
freight/cargo) where the external customers use an app we offerred to scan using their mobile phones
without even log in to the system.
Details:
users scan a QR code that we provide which after scanning will launch a url to launch and a call sign,
& will redirect to a page , where user can perform processing such as check-in , uncheck-in , without
login to the system.
Though the operation was performed by the user , from back end, we treat it as performed by
“System”, and we don’t track who is really doing this job.
the data inside the qr code will be our freight system's url (eg: https;//abcfreight.com/...
the freight's call sign will be in format like SC3727G, SB0681D ie the URL will be
https://abcfreight.com/...SC3727G/...
There's no personal particulars but we can trace to the customer using the signs
SC3727G
Any cyber concern other than requiring https (SSL) or any security measures that we
are missing here? The data scanned is stored in Oracle database unencrypted.
What's the security at mobile phone's end & any signing of the app required?
Presumably we ought to do penetration testing & code scanning of the app but
that system will also be audited; so what would an auditor look out for in such
QR code scanning process/system?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for pointing out on the term to use.
>1. Test phone app to ensure that it will not accept a random QR URL that leads to a malicious or fake site.
Should we just use those free QR code scanner by Kaspersky, Trendmicro as they're documented to
check for malicious URLs from being launched? If we were to use such off-the-shelf scanners, we
won't have the source codes of the scanner, thus the secure coding scans of this scanner can't be done.
For the code generator, if we are going for a free one, we'll have to adopt a "static generator" rather
than a "dynamic" one or will it be more secure if we develop one internally?
We do have external penetration tester whom we engage to pentest our mobile apps (ie they'll run
it in their test mobiles to test), which is done without source codes. Thing is if they found injections,
XSS for off-the-shelf apps, unlikely we can fix them as we don't have the source codes
>1. Test phone app to ensure that it will not accept a random QR URL that leads to a malicious or fake site.
Should we just use those free QR code scanner by Kaspersky, Trendmicro as they're documented to
check for malicious URLs from being launched? If we were to use such off-the-shelf scanners, we
won't have the source codes of the scanner, thus the secure coding scans of this scanner can't be done.
For the code generator, if we are going for a free one, we'll have to adopt a "static generator" rather
than a "dynamic" one or will it be more secure if we develop one internally?
We do have external penetration tester whom we engage to pentest our mobile apps (ie they'll run
it in their test mobiles to test), which is done without source codes. Thing is if they found injections,
XSS for off-the-shelf apps, unlikely we can fix them as we don't have the source codes
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
free to correct, add on:
There are 2 parts of the app: the QR code generator & code scanner.
To prevent scam/phishing, must we self-develop the code generator &
code scanner or is there public free ones that are safe for use?
I'm checking if there's any payment involved.
For the QR code generator, ideally not to use one that is public domain but if you must use it,
it must be a signed app: https://source.android.com/security/apksigning
Offhand, I can only think of:
- Perform a Coverity code scan of the app & remediate what’s uncovered by the scans
- Does the project cater for penetration testing? The mobile app will need to be subject to the testing before going live.
- We need a way to ensure that QR code is only used by the right & authorized party and prevent a faked/spoofed
URL from being launched. If the code is sent to wrong party, will the wrong freight get sent?To mitigate, we’ll need an encrypted QR code
http://www.qrcodestickers.org/qr-code-articles/encrypted-qr-codes.html
& send an alert (SMS) to the authorized party upon successful transaction
My references:
https://www.dummies.com/business/marketing/social-media-marketing/security-risks-that-come-with-use-of-qr-codes/
https://www.mdpi.com/2078-2489/11/4/217/htm