Currently there is this design of two apps that work together:
- Proof app: On customers phone, takes in a textcode and creates a QR code
- Scanner app: On hosts phone, Scans the QR code and displays some information like birthday, initial and valid date. Does not connect to the internet for this.
Both applications will be open source.
My question: Is there a fundamentally solid way to avoid people from generating a false QR code, for instance with a different birthday, initial or valid date?
We may assume that the consumer can build a new app based on the source code of both apps. However, we may also assume they do not have access to a textcode that would give the normal app the desired QR code.
My thoughts so far:
- Obviously we cannot prevent the user from altering the QR code, but perhaps we can make sure he cannot alter it into something useful.
- To deter brute forcing, presumably the QR code should contain one 'output' which gets translated in the scanner app to the various pieces of information. (Opposed to having each individual property translated separately).
- I don't think this is possible: perhaps if the QR code and text code are complex enough then even with full knowledge of the code brute forcing approaches would be impractical, but how can you prevent general reverse engineering?
If it is not possible to avoid this for a single individual who is willing to make an effort, would it conceptually still be possible to prevent at least a cracked app which is distributed to the public easily?