A User Study of Security Warnings for Detecting QR Code Based Attacks on Android Phone

The security analysis of existing QR (Quick Response) code scanners on Android was conducted recently and the result shows that most of those QR code scanners were not able to detect attacks exploiting malicious URLs embedded in QR codes, especially phishing and malware attacks. In our previous study, we proposed a QR code scanner solution called SafeQR that utilized two well-known security APIs in order to improve the detection rate of those attacks. In this paper we discuss in detail a user study conducted to investigate the effectiveness of SafeQR, primarily from the perspective of user’s security perception. Specifically, we first discuss how to design the security warnings of SafeQR using Microsoft’s NEAT (Neat, Explained, Actionable, Tested) and SPRUCE (Source, Process, Risk, Unique, Choices and Evidence), and then we present how to design our user study to test their effectiveness. The result of our user study is promising, showing that SafeQR enables better user perception of imminent security threats, compared to other QR code scanners.