Does Your QR Code Scanner Spy On You?

I selected two Android barcode reader apps to examine for this post, NeoReader from Neomedia and Barcode Scanner by ZXing Team. There are lots of readers that exhibit the same behavior as both of these readers but this particular pair illustrate the point I am going to make rather well.

What I wanted to do:

I wanted to see details of the web traffic produced by these apps when being used on my mobile.

How I did it:

I put both apps on my Samsung Galaxy S II running Android 2.3.3.

I installed Fiddler2 on my PC. Fiddler2 is a web debugging proxy which logs all HTTP(S) traffic between your computer and the Internet.

I set up Fiddler2 to allow remote computers to connect and act as a system proxy on startup

I ascertained what port Fidler2 was listening on and the wireless network IP address of my PC.

On my mobile I selected Settings —> Wireless and network —> Wi-Fi settings —> menu —> Advanced and I was then able to set the proxy IP address and the port of the WiFi.

Fiddler2 was now recording all web traffic from my mobile.

What I did:

QR Code for the BBC news mobile site
 

I scanned the QR Code on the left which is encoded as http://www.bbc.co.uk/news/mobile/ with both scanners, viewed the webpage in the browser and recorded the data sent by the apps.
 
 
 
Results for Barcode Scanner:

GET /news/mobile/ HTTP/1.1
Host: www.bbc.co.uk
Connection: keep-alive
Accept-Encoding: gzip
Accept-Language: en-GB, en-US
x-wap-profile: http://wap.samsungmobile.com/uaprof/GT-I9100.xml
User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.3; en-gb; GT-I9100 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Cookie: BBC-UID=843eb9e5bfe6331cd8e82b94e17cf62861c86a3660c0112f127976a4d74142840Mozilla%2f5%2e0%20%28
Linux%3b%20U%3b%20Android%202%2e3%2e3%3b%20en%2dgb%3b%20GT%2dI9100%20Build%2fGINGERBREAD%29%20
AppleWebKit%2f533%2e1%20%28KHTML%2c%20like%20Gecko%29%20Version%2f4%2e0%20Mobile%20Safari%2f533%2
e1; s1=4E95F63D0F0B036A
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7

Results for NeoReader:

GET /gwv4/gateway?CODE=http%3A%2F%2Fwww.bbc.co.uk%2Fnews%2Fmobile%2F&LANG=EN&AGE=&CTRY=&GEND=
&LTS=201110130958&CLI=NR_ANDROID%3A1.00.33&GUID=416fa5e1500a4ca4ad1a&BRAND=NEOM&BTYPE=Webkit
&SYMB=QR&ZZ= HTTP/1.1
Host: router.neom.com
Connection: keep-alive
Accept-Encoding: gzip
Accept-Language: en-GB, en-US
x-wap-profile: http://wap.samsungmobile.com/uaprof/GT-I9100.xml
User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.3; en-gb; GT-I9100 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7

GET /news/mobile/ HTTP/1.1
Host: www.bbc.co.uk
Connection: keep-alive
Accept-Encoding: gzip
Accept-Language: en-GB, en-US
x-wap-profile: http://wap.samsungmobile.com/uaprof/GT-I9100.xml
User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.3; en-gb; GT-I9100 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Cookie: BBC-UID=843eb9e5bfe6331cd8e82b94e17cf62861c86a3660c0112f127976a4d74142840Mozilla%2f5%2e0%20%28
Linux%3b%20U%3b%20Android%202%2e3%2e3%3b%20en%2dgb%3b%20GT%2dI9100%20Build%2fGINGERBREAD%29%20
AppleWebKit%2f533%2e1%20%28KHTML%2c%20like%20Gecko%29%20Version%2f4%2e0%20Mobile%20Safari%2f533%2
e1; s1=4E95F63D0F0B036A
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7

So what’s going on?

Barcode Scanner decodes the QR Code as http://www.bbc.co.uk/news/mobile/ and sends a request to get the webpage.

NeoReader decodes the QR Code as http://www.bbc.co.uk/news/mobile/ and sends this information and more to a Neomedia server in the form of a query string. The Neomedia server performs a 302 redirect to http://www.bbc.co.uk/news/mobile/ which results in a further request to get the webpage. The additional information in the query string sent to the Neomedia server includes:

LANG – language entered when installing the app
AGE – age entered when installing the app (optional)
CTRY – country entered when installing the app (optional)
GEND – gender entered when installing the app (optional)
LTS – date and time the QR Code was scanned YYYYMMDDHHMM
CLI – NeoReader platform (NR_ANDROID) and version number (1.00.33)
GUID – Hashed device/software ID (416fa5e1500a4ca4ad1a)

The bottom line is that Barcode Scanner sends a simple request to the BBC server only but NeoReader collects data about your usage every time you scan a QR Code. Because of the NeoReader device ID your data can be aggregated and a complete picture of your scanning behavior obtained.

The welcome screen for the app (image below) says that none of the data can be associated with you personally so you may be ambivalent about providing it. However even then you may not want to visit the Neomedia server at your expense every time you scan a QR Code.

Screnshot of the NeoReader welcome screen

As I said at the begining there are other readers that do something similar so leave a comment below if you are concerned about your particular reader and I will try to take a look for you.

21 thoughts on “Does Your QR Code Scanner Spy On You?”

  1. As a developer on a QR reader I find this practice appalling. It’s one thing for a QR code to redirect through a site to track how many scans it does but another for the scanner to do that.

    I’ve been told by people that have purchased my app that they sometime scan private data that’s passed around internally via QR code links or other content. If they scanned with another product then perhaps that data would be being sent to a third party and it’s rare for a QR scanner to admit to that upfront.

    I am committed to privacy protection within my apps and that includes scanning QR codes.

    I really appreciate you bringing this subject to light as it’s something you don’t read much about.

  2. Qrafter respects your privacy! I have many other ones installed which use their own gateway though. I wonder what happens when their gateways are inaccessible.

  3. Hello,
    That info that is “optional” on the NeoReader is just that, optional. If you don’t choose to enter it when you set up NeoReader after downloading, it won’t be transmitted..pretty simple!
    I prefer the NeoReader myself, especially this latest update.

  4. @ReaderFan Maybe it’s too simple for you to understand, 3 variables are optional and 8 are not. All are sent to the Neomedia server with no option to opt-out.

  5. @Bob I didn’t need to test, it’s all in the very open ScanLife Privacy Policy.

    Here is the relevant section:

    Mobile-specific information we collect

    Most of the personally identifying information we collect is what you tell us about yourself. You choose what you want to share and how you want to share it.

    Sometimes, we record your phone number and/or age and gender information. We record your phone number or other information when you send it to us; ask us to remember it; or make a call or send a text message or SMS to or from ScanLife. We will associate your phone number and other information with your ScanLife Account, and/or User ID if you do not have a ScanLife Account and or other User ID, with some other similar account ID. We often generate this User ID based on your device and hardware IDs, so if you change your device or hardware, you will have to re-associate this new device or hardware with your account before we can authenticate you.

    Most of the other information we collect for mobile, such as your device and hardware IDs and device type, the request type, your carrier, your carrier user ID, the content of your request, and basic usage stats about your device and use of ScanLife does not by itself identify you to Scanbuy, though it may be unique or consist of or contain information that you consider personal.

    Certain information, including information you may consider personal to you, may be stored locally on the device using mechanisms such as browser web storage. Please consult your device or client documentation on how to manage such local storage.

    If you are enabling the location base capabilities of your device, you may be sending us location information. This information may reveal your actual location, such as GPS data, or it may not, such as when you submit a partial address to look at a map of the area.

  6. We noticed this in the NeoReader app a while ago and where surprised no one had raised objections. No surprise to see it was you though, Roger! 😉

    No private data collected in Optiscan either, but we may just have an Android version for the New Year 😉

  7. Hmm, nice reply Roger.
    Any personally identifiable info on that “non optional” list?

    I guess it makes a good article…..if you needed a space filler.

  8. very well done test, and well explained too.
    we recently did a similar experiment using nine different iPhone apps. Besides NeoReader als BeeTagg used a dedicated company-server to route the scan.
    “QR” and “Scan” did not reach their server, I consider this suspiceous at least.
    Confirmed that QRafter is clean, and fast.
    Using 3G network, the re-routed scan were significantly slower than the direct calls.

  9. Roger.

    Thank you for bringIng up this topic.

    QR Code Reader companies imposing their own redirect is certainly problematic as it introduces an additional point of resolution/failure.

    Another issue with QR Code Readers is when they load the Destination URL within their App by way of an internal web browser. Various JavaScript and prompts are blocked as a result – at the content owner’s and/or brand’s dismay. This is especially damaging when the destination pages requires a prompt to share location necessary to provide a service. The average consumer would never understand why something was not working properly in that situation. Even though these readers allow the person scanning to break the URL out of the reader and launch the URL to the phones native web browser – I suspect most people would not realize they could or should do that.

    The issue above is further compounded when the QR Code Reader provider wrap ads around the code’s Destination page. This annoys commercial organizations and brands to no end and limits their ability to recommend the readers that perform that action.

  10. This problem exists more profoundly when URL shortening services are introduced. by placing a simple “+” on the shortened URL, all traffic data can be displayed. additionally Scientific America ran a recent article on Malware with QR codes.

    This “wild-wild-West” of potential pitfalls makes me conclude that consumers and brands should turn to organizations that “by-law” have requirments about privacy. Those organizations are the MNO’s who agree to such provisions from a regulatory point of view when they agree to acquire spectrum from the Governmental bodies who auction them off to begin with.

    Having worked directly with these entities directly for decades, it is a MAJOR part of being accepted as “trusted” suppliers. in fact, it has made our business more difficult because of the “leagaleze” we have to deal with, but in the end, we can assure with authority that when consumers and Brands deal with the MNO and companies like ours, all of the technographic data is “clean”, consumer’s can TRUST that their annonimity is protected, and the Brands can TRUST their campaigns are protected from their competitors and the “conversations” they have with their target audiance is private and one on one. its hard work, but it insures the eco-system that emerges is trusted, safe, and scalable.

  11. It’s too sad WJ did not leave a link home to explain more clearly what
    type of organizations he is talking about.
    I do generally agree with his comments, that the number of pitfalls and misuse possibilities make it hard for consumers to trust QR-Codes too much.
    But: Where I live, not all MNO’s are trusted too much, in spite of regulations and all. Sounds more like setting the fox(es) to keep the geese

  12. Somewhere, in a back room at Neomedia, someone has a few boxes full of print outs of User data.

    The low-number of Neomedia Readers in the market — and, the even fewer numbers of people using them — means they have pretty much zero-value.

    But, somewhere in their business plan they’ve sold someone on the fact that they are accumulating user information that is as valuable as Google or Facebook have.

    The reality is they have bupkus. Unless they had tens- or hundreds- of millions of scans and data on hand that they could TURN INTO VALUABLE information (not raw data), it’s worth nothing.

    That said, it’s pretty sleazy.

  13. Roger – i-nigma is another app that I’ve noticed points to their own server before redirecting to the destination. I’d be curious to know what they’re collecting. It’s a great scanner otherwise, but that “feature” keeps me using Barcode Scanner. (I’m on Android)

    Thanks for posting this!

Leave a Reply

Your email address will not be published. Required fields are marked *