Difference between Qrafter and Qrafter Pro

You’ll see that Qrafter has two versions, Qrafter and Qrafter ProQrafter is a FREE app and Qrafter Pro is $3.99. Why two versions?

The two apps share the exact same code base and have the same abilities. Qrafter is supported by ads which can be removed by purchasing its in app purchase called Pro PackQrafter Pro on the other hand, comes with Pro Pack enabled when you purchase it.

So if you want to have the best QR Code app for iOS or iPadOS that can both scan and generate QR Codes along with Data Matrix, Aztec Codes, PDF417 and various other barcode formats, while being completely FREE with ad support, download Qrafter. If you don’t want to see ads, purchase Pro Pack directly inside Qrafter or uninstall the app and purchase Qrafter Pro.

Qrafter Pro was created so that educational institutions can benefit from volume purchases. Also some people like to purchase full apps directly from the App Store instead of using in app purchases. So these two versions will cover all bases.

You can download Qrafter from here and Qrafter Pro from here.

This post was first featured on this page.

Google Safe Browsing API support removed

On version 29 of Qrafter and Qrafter Pro, I had to remove Google Safe Browsing API support, which was responsible for checking malicious URLs in scanned codes. The reason for this is, Google no longer accepts commercial use of its Safe Browsing API by November 11, 2019 and wants all users of it to start using the new Web Risk API, which has very limited free-tier quotas.

That means, if I wanted to continue providing this service using Web Risk API, it would be costing more than 1000 USD per month to me, which is expensive.

Safe Browsing API will continue to be free for non profit organizations and mainstream browsers. So, with the default in app browser change to iOS provided Safari, that I implemented in May 2019, there should be virtually no security risk from known malicious URLs, because iOS will be handling the checks from now on, instead of Qrafter or Qrafter Pro, which will still continue to unfold short URLs and show you the final URL. If you are using Qrafter’s own in app browser, I recommend that you change it to in app Safari from now on. I may need to remove Qrafter’s in app browser altogether in the future for a more secure app experience.

Encrypting QR Codes with Qrafter

Using Qrafter or Qrafter Pro, you can easily encrypt the contents of a generated QR Code, so that the content can only be revealed with the correct password. To do this, tap the padlock icon that can be found at the bottom right of the QR Code screen on iPhone, or next to the generated QR Code on iPad.

Prior to version 17.3, the codes were encrypted using DES encryption which made it some kind of a gimmick. DES encryption is weak and can easily be cracked. I had chosen DES only for practical reasons on export regulations and for the fact that the encrypted content would not be much bigger than the original content.

With version 17.3 and later, Qrafter and Qrafter Pro use AES-256 when encrypting QR Codes. This means the content is encrypted using industry standard encryption and can be used with confidence in any case without the risk of easy cracking. The only downside of strong encryption is, the AES-256 encrypted content is longer than DES encrypted content. You will not be able to encrypt content that is very long (more than a couple thousand characters).

For encryption, Qrafter and Qrafter Pro now use RNCryptor. I chose this library over others because its developer follows strict standards for encryption, and that is similar to my approach to writing code. Without established standards, apps don’t perform as expected, resulting in poor usability.

Qrafter and Qrafter Pro first encrypt the content using RNCryptor, base64 encode the whole encrypted data and then prepend ENC: to the resulting base64 encoded string resulting in the following format:


If you would like to decrypt the content yourself on your app or webpage after scanning, first base64 decode the BASE64_ENCODED_ENCRYPTED_CONTENT and then decrypt the resulting data using RNCryptor with default settings, using the correct password.

The story of the name, Qrafter

It has been 6 years since I wrote and published Qrafter on the App Store and unfortunately, its name still creates confusion with some people.

When I first decided to write a QR Code app, I tried to find a good name that was not generic and had to do something with QR Codes. I wanted to create an app that could both create and scan QR Codes and tried to play with the word, create. Some names like Qrusher or Qreate did not sound good, then I found a word play with “craft”, resulting in “qraft” and hence, Qrafter. 🙂

Some people think that the name of the app comes from “QR-after”, and they pronounce it like that, but that is not the case. It comes from the ability to “craft” —or “qraft” if you like— QR Codes while at the same time scanning them.

Qrafter and x-callback-url

Qrafter and Qrafter Pro can be called from web pages or other apps using two ways:

  • Using the https://qrafter.com/x-callback-url/scan universal app link URL
  • Using the qrafter:// URL scheme

Using the universal app link URL, which is available with version 17.2 and later has the benefit of redirecting the user to download Qrafter, if the user does not have Qrafter or Qrafter Pro installed. Also, with it, malicious apps that may try to hijack the qrafter:// URL scheme will be unsuccessful, resulting in a much more secure implementation.

Both ways support the x-callback-url specification for returning the scanned values. To correctly call Qrafter or Qrafter Pro from your app or web page, you’ll need to use the following:

To scan a code:




To create a code (version 20.0 or later):




You’ll obviously need to URL encode all variable values, so that Qrafter and Qrafter Pro can decode them correctly. So here is what the variables mean:

While scanning:

  • x-success: The URL to be called after successful scanning. It can be an app URL or web page URL.
  • x-source (optional): Your app or page name. For example If you were calling from an app called “Your App”, you would use Your%20App here.
  • x-cancel (optional): The URL to be called if the user cancels the scan.
  • browser (optional): This is not an x-callback-url variable. It is unique to Qrafter and Qrafter Pro. If your return URL points to a web page and you add this variable and set it to external, Qrafter or Qrafter Pro will return to your web page using Safari. If this variable does not exist, then the in app browser of Qrafter or Qrafter Pro will be used.
  • base64 (optional): This also is not an x-callback-url variable. It is unique to Qrafter and Qrafter Pro. If you want the returned scan results to be encoded using base64 to avoid any url encoding problems, set it to yes. This variable only works on version 19.3 or later.

While creating:

  • content: This string will be the content of your code.
  • base64 (optional): If you’d rather base64 encode the content while sending to Qrafter or Qrafter Pro instead of URL encoding it, set this to yes. The content will be base64 decoded before sending to creation screen.
  • format (optional): If you want to create a barcode instead of a QR Code, you can add this variable to the URL with one of the following values: ean13, ean8, upca, upce, code39, code93, code128 and codabar. If an invalid value is sent with this variable, or the variable does not exist, a QR Code will be created.

So, how will the contents of a scan will be returned back to your app or website? You’ll need to add {CODE} to the SUCCESS_RETURN_URL for Qrafter or Qrafter Pro to replace with the scan results. Here is an example:


Again, don’t forget to URL encode the variable value. It is not URL encoded in the example for the sake of readability.

You can contact me if you have any questions about using this URL scheme to scan codes.