Encrypting QR Codes with Qrafter

Using Qrafter or Qrafter Pro, you can easily encrypt the contents of a generated QR Code, so that the content can only be revealed with the correct password. To do this, tap the padlock icon that can be found at the bottom right of the QR Code screen on iPhone, or next to the generated QR Code on iPad.

Prior to version 17.3, the codes were encrypted using DES encryption which made it some kind of a gimmick. DES encryption is weak and can easily be cracked. I had chosen DES only for practical reasons on export regulations and for the fact that the encrypted content would not be much bigger than the original content.

With version 17.3 and later, Qrafter and Qrafter Pro use AES-256 when encrypting QR Codes. This means the content is encrypted using industry standard encryption and can be used with confidence in any case without the risk of easy cracking. The only downside of strong encryption is, the AES-256 encrypted content is longer than DES encrypted content. You will not be able to encrypt content that is very long (more than a couple thousand characters).

For encryption, Qrafter and Qrafter Pro now use RNCryptor. I chose this library over others because its developer follows strict standards for encryption, and that is similar to my approach to writing code. Without established standards, apps don’t perform as expected, resulting in poor usability.

Qrafter and Qrafter Pro first encrypt the content using RNCryptor, base64 encode the whole encrypted data and then prepend ENC: to the resulting base64 encoded string resulting in the following format:

ENC:BASE64_ENCODED_ENCRYPTED_CONTENT

If you would like to decrypt the content yourself on your app or webpage after scanning, first base64 decode the BASE64_ENCODED_ENCRYPTED_CONTENT and then decrypt the resulting data using RNCryptor with default settings, using the correct password.

The story of the name, Qrafter

It has been 6 years since I wrote and published Qrafter on the App Store and unfortunately, its name still creates confusion with some people.

When I first decided to write a QR Code app, I tried to find a good name that was not generic and had to do something with QR Codes. I wanted to create an app that could both create and scan QR Codes and tried to play with the word, create. Some names like Qrusher or Qreate did not sound good, then I found a word play with “craft”, resulting in “qraft” and hence, Qrafter. 🙂

Some people think that the name of the app comes from “QR-after”, and they pronounce it like that, but that is not the case. It comes from the ability to “craft” —or “qraft” if you like— QR Codes while at the same time scanning them.

Qrafter and x-callback-url

Qrafter and Qrafter Pro can be called from web pages or other apps using two ways:

  • Using the https://qrafter.com/x-callback-url/scan universal app link URL
  • Using the qrafter:// URL scheme

Using the universal app link URL, which is available with version 17.2 and later has the benefit of redirecting the user to download Qrafter, if the user does not have Qrafter or Qrafter Pro installed. Also, with it, malicious apps that may try to hijack the qrafter:// URL scheme will be unsuccessful, resulting in a much more secure implementation.

Both ways support the x-callback-url specification for returning the scanned values. To correctly call Qrafter or Qrafter Pro from your app or web page, you’ll need to use the following:

https://qrafter.com/x-callback-url/scan?x-source=YOUR_SOURCE_NAME&x-success=SUCCESS_RETURN_URL&x-cancel=CANCEL_RETURN_URL&browser=external

or

qrafter://x-callback-url/scan?x-source=YOUR_SOURCE_NAME&x-success=SUCCESS_RETURN_URL&x-cancel=CANCEL_RETURN_URL&browser=external

You’ll obviously need to URL encode all variable values, so that Qrafter and Qrafter Pro can decode them correctly. So here is what the variables mean:

  • x-source: Your app or page name. For example If you were calling from an app called “Your App”, you would use Your%20App here.
  • x-success: The URL to be called after successful scanning. It can be an app URL or web page URL.
  • x-cancel: The URL to be called if the user cancels the scan. This is optional.
  • browser: This is not an x-callback-url variable. It is unique to Qrafter and Qrafter Pro. If your return URL points to a web page and you add this variable, Qrafter or Qrafter Pro will return to your web page using Safari. If this variable does not exist, then the in app browser of Qrafter or Qrafter Pro will be used.

So, how will the contents of a scan will be returned back to your app or website? You’ll need to add {CODE} to the SUCCESS_RETURN_URL for Qrafter or Qrafter Pro to replace with the scan results. Here is an example:

x-success=https://yoursite.com/return.php?code={CODE}

Again, don’t forget to URL encode the variable value. It is not URL encoded in the example for the sake of readability.

You can contact me if you have any questions about using this URL scheme to scan codes.