A User Study of Security Warnings for
Detecting QR Code Based Attacks on Android Phone


Dongwan Shin
+ and Huiping Yao

 
Secure Computing Laboratory
New Mexico Tech, Socorro, NM, USA
{doshin, hyao}@nmt.edu
 

Abstract

The security analysis of existing QR (Quick Response) code scanners on Android was conducted recently and the result shows that most of those QR code scanners were not able to detect attacks exploiting malicious URLs embedded in QR codes, especially phishing and malware attacks. In our previous study, we proposed a QR code scanner solution called SafeQR that utilized two well-known security APIs in order to improve the detection rate of those attacks. In this paper we discuss in detail a user study conducted to investigate the effectiveness of SafeQR, primarily from the perspective of user¡¯s security perception. Specifically, we first discuss how to design the security warnings of SafeQR using Microsoft¡¯s NEAT (Neat, Explained, Actionable, Tested) and SPRUCE (Source, Process, Risk, Unique, Choices and Evidence), and then we present how to design our user study to test their effectiveness. The result of our user study is promising, showing that SafeQR enables better user perception of imminent security threats, compared to other QR code scanners.

 

Keywords: QR code security, phishing, malware, visual warning, and user study

 

+: Corresponding author: Dongwan Shin

Computer Science Department New Mexico Tech, Socorro, NM 87801, USA, Tel: 1-575-835-6459

 

Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA),

Vol. 4, No. 4, pp. 49-64, December 2013 [pdf]