From Newsgroup: comp.mobile.android

On 3 Jul 2025 19:28:20 GMT, Frank Slootweg wrote :

(As I wrote,) Our banks, government, medical institutions, etc., etc. exactly *do* use QR codes "for financial transactions or other security sensitive activities", like login, transaction approval, etc., etc..

That QR codes can be use in dangerous ways, does not mean they can
only be used that way.

I've studied every poster to this newsgroup, to better understand them.

Since I'm always logical and sensible I agree with anyone who makes a
logically sensible statements, such as that Frank just made above.

The fact anyone has to tell this to Joerg tells us something about Joerg.

Jeorg, like VanguardLH/Vanguard, Mayayana/Newayana, JP Gilliver/John
Gilliver, et al., are the type I refer to as "racist" mentalities.

It's not that they're racist per se, but they "think" like racist people do
in that they take one fact and then form the most solidly wrong assessments about that fact, simply because in some cases QR codes can be malicious.

To them, if one QR code is malicious, all QR codes are malicious.
What type of person thinks that way?

HINT: Look up Myers-Briggs "strongly judgmental" personality types.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

Marion <marion@facts.com> wrote or quoted:

To them, if one QR code is malicious, all QR codes are malicious.

If just one QR code out of a hundred is bad, that means you
have a one percent shot at running into a malicious one.

Security is all about checking everything in a group, since
you never know which ones might be sketchy. Like, here in
Berlin, if you show up to a concert with a bag, some guy is
going to look through it. Even if hardly any bags have anything
they shouldn't, they still have to check every single one.

I really don't have any hands-on experience with QR codes, and
I barely know how they work, but I figure they just hold URIs
that get opened up. That would make them active content.

Letting stuff run without the user doing anything is risky,
kind of like letting macros go off in a doc file as soon as you
open it. Imagine if every time you downloaded an exe, it just ran
right away. That would be a nightmare!

So, if that's actually how QR codes work, that needs to be
fixed. When you scan a QR, it should just show you the text
and let you copy it if you want. If you decide to open it
as a URI, that should be your call.


--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

Stefan Ram wrote:

Letting stuff run without the user doing anything is risky,
kind of like letting macros go off in a doc file as soon as you
open it. Imagine if every time you downloaded an exe, it just ran
right away. That would be a nightmare!

So, if that's actually how QR codes work, that needs to be
fixed. When you scan a QR, it should just show you the text
and let you copy it if you want. If you decide to open it
as a URI, that should be your call.

Despite what Vanguard said, I'm not aware of any QR app that
automatically visits a URL, or connects to a wifi SSID, or calls a phone number *just* because you scanned one of those types of QR code ... it's
akin to saying mice are dangerous because you can click links with a mouse.

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

On 4 Jul 2025 18:30:16 GMT, Stefan Ram wrote :

If just one QR code out of a hundred is bad, that means you
have a one percent shot at running into a malicious one.

Security is all about checking everything in a group, since
you never know which ones might be sketchy. Like, here in
Berlin, if you show up to a concert with a bag, some guy is
going to look through it. Even if hardly any bags have anything
they shouldn't, they still have to check every single one.

I really don't have any hands-on experience with QR codes, and
I barely know how they work, but I figure they just hold URIs
that get opened up. That would make them active content.

Letting stuff run without the user doing anything is risky,
kind of like letting macros go off in a doc file as soon as you
open it. Imagine if every time you downloaded an exe, it just ran
right away. That would be a nightmare!

So, if that's actually how QR codes work, that needs to be
fixed. When you scan a QR, it should just show you the text
and let you copy it if you want. If you decide to open it
as a URI, that should be your call.

Your example is spot on the money, as is your approach to security.
And your point of view seems to me to be sensibly logical & reasonable.

While my initial posts to this thread prove I don't usually deal with QR
codes, many people already mentioned in this thread that if the QR code resolves to a URL, it's no different than any other URL on your system.

They all mentioned to Joerg that whether or not that URL is "active"
depends on how the user has set up their phone once it resolves the URL.

Does the phone ask the user to manually approve "going to" that URL?
Or does the phone just automatically "go to" that URL?

I don't know really, as I said from the start I was only helping out the OP
by suggesting QR code readers that I had tested long ago & didn't fail.

I suspect it depends on how the user sets up the system to act on URLs.
But I'll let those who actually use QR codes in daily use answer that.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

On Fri, 4 Jul 2025 19:47:51 +0100, Andy Burns wrote :

So, if that's actually how QR codes work, that needs to be
fixed. When you scan a QR, it should just show you the text
and let you copy it if you want. If you decide to open it
as a URI, that should be your call.

Despite what Vanguard said, I'm not aware of any QR app that
automatically visits a URL, or connects to a wifi SSID, or calls a phone number *just* because you scanned one of those types of QR code ... it's akin to saying mice are dangerous because you can click links with a mouse.

No, out here, mice are dangerous 'cuz they carry the hantavirus, which, unfortunately for us, has a 1/3rd mortality rate, which is scary.

Thanks Andy for answering that question since we all learn from each
others, and since I, personally, have little experience with QR codes.

I suspect you "can" set up a QR-code-reading app to "automatically" visit
the URL, but, before I even say it, I realize how absurd that would be in a typical environment (although in some vetted environments, it could be set
up to automatically visit the site - such as in store-management tasks).

With that in mind, and knowing nothing from Joerg (or Vanguard) is
balanced, I would say what I do on Windows & Android is I set up the
*default* web browser to be something that does NOT auto-visit links.

For example, Tor browser is my default web browser on all platforms.
My Tor browser is set up NOT to connect when it's brought up.

This means no URL has a chance of executing automatically that way.

(Of course, malicious code can choose any browser, I guess, but even then,
I don't have any of the normal browsers on my phone so maybe not for me.)
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.mobile.android

On 2025-07-04 20:30, Stefan Ram wrote:

...

I really don't have any hands-on experience with QR codes, and
I barely know how they work, but I figure they just hold URIs
that get opened up. That would make them active content.

They hold text. And that text can be anything, including an URL.
--
Cheers, Carlos.
--- Synchronet 3.21a-Linux NewsLink 1.2