0

Currently there is this design of two apps that work together:

  1. Proof app: On customers phone, takes in a textcode and creates a QR code
  2. Scanner app: On hosts phone, Scans the QR code and displays some information like birthday, initial and valid date. Does not connect to the internet for this.

Both applications will be open source.

My question: Is there a fundamentally solid way to avoid people from generating a false QR code, for instance with a different birthday, initial or valid date?

We may assume that the consumer can build a new app based on the source code of both apps. However, we may also assume they do not have access to a textcode that would give the normal app the desired QR code.

My thoughts so far:

  1. Obviously we cannot prevent the user from altering the QR code, but perhaps we can make sure he cannot alter it into something useful.
  2. To deter brute forcing, presumably the QR code should contain one 'output' which gets translated in the scanner app to the various pieces of information. (Opposed to having each individual property translated separately).
  3. I don't think this is possible: perhaps if the QR code and text code are complex enough then even with full knowledge of the code brute forcing approaches would be impractical, but how can you prevent general reverse engineering?

If it is not possible to avoid this for a single individual who is willing to make an effort, would it conceptually still be possible to prevent at least a cracked app which is distributed to the public easily?

Dennis Jaheruddin
  • 1,715
  • 11
  • 17
  • How is the textcode generated? Online or offline? – ThoriumBR Mar 19 '21 at 11:45
  • The input text is generated on a server somewhere online, let us assume that part is secure. – Dennis Jaheruddin Mar 19 '21 at 13:52
  • 2
    You are trying to use QR-codes as a security mechanism, they are not. Mentally replace QR-code with, *"writes info on paper, and types it in."* – user10216038 Mar 20 '21 at 14:47
  • @user10216038 I don't get the problem with that. Suppose I write down 'adf89afbiuafsifasdifh' and that means 'my social security number ends in xxxx I am allowed to enter on 1 jan', that does not give me a way to come to a writing that means 'my social security number ends in xxx and I am allowed to enter on 2 jan' – Dennis Jaheruddin Mar 24 '21 at 10:29
  • Did you get any further with your problem? Something that's not apparent from your question: must the user provide any information to obtain the initial token? (ie. what you've referred to as the 'textcode') Or, do they just select the date at that time? – brynk Apr 19 '21 at 08:42

1 Answers1

1

Both applications will be open source.

If it is not possible to avoid this for a single individual who is willing to make an effort, would it conceptually still be possible to prevent at least a cracked app which is distributed to the public easily?

These two sentences are mutually exclusive. If it's open source it's trivial to create an alternate version of it that does something else than what you envision. Furthermore, why are you focusing on integrity of the application and not the data?

Sign the data that is provided in the QR-code. This way, it doesn't matter what app people use; the data in the QR code is signed by you. You'll obviously have to verify information before signing, but after it's signed, it's trivial to verify that it is not changed.

The numbered ideas you provide is mainly security through obscurity. Don't bother. It's trivially bypassed in much less time than you think.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • I am not sure I understand the signing idea. Users only obtain a textcode and to use the app on their own device to generate the QR code. -- Also, suppose the consumer would NOT have access to the Scanner app and logic within (though consumer app remains open source), would that change the equation? – Dennis Jaheruddin Mar 19 '21 at 13:56
  • 1
    Then it's probably unsolvable. – vidarlo Mar 19 '21 at 14:06
  • by unsolvable, do you mean that if the scanner is an inaccessible black box, the system could conceptually work? – Dennis Jaheruddin Mar 24 '21 at 10:31
  • 1
    No, simply that if you have no venue of verification you can't verify data. Signing data provides means for verification. Online verification is another possiblity. Closed source is merely security through obscurity. – vidarlo Mar 24 '21 at 10:56