
Remember QR Codes? They’re More Powerful Than You Think - yarapavan
https://a16z.com/2019/10/30/the-power-of-qr-codes/
======
dirktheman
I like the functionality of QR codes, but the fact that they're not human
readeable makes them unsafe. It would'nt be unthinkable to make a QR-code,
paste it over an existing one (for instance: the QR code in the bar to pay for
a tip) and redirect the user to a spoof website where they can tip me instead
of the bar/musician.

~~~
wccrawford
My QR reader on Android (ZXing's Barcode Reader) shows you the information on
the screen before you decide what you want to do with it. That's as "Human
Readable" as it needs to be, for me.

~~~
m-p-3
Imagine if someone discovers a flaw in the qrcode library and manage to
execute an arbitrary command once read? It's already too late, the device
already read the code.

It's the same kind of issue that's possible with any kind of viewer (Adobe
Reader, Flash Player, etc)

Once the file or data string is read, it's already game over, and both the QR
code and PDF, SWF, etc aren't human-readable.

~~~
shakna
This has actually happened before. [0]

> An exploitable code execution vulnerability exists in the QR code scanning
> functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted QR Code
> can cause a buffer overflow, resulting in code execution.

[0]
[https://talosintelligence.com/vulnerability_reports/TALOS-20...](https://talosintelligence.com/vulnerability_reports/TALOS-2018-0571)

~~~
theamk
Note that it was not in the QR scanner itself -- the parsing part was fine,
the image was always decoded safely. It is the network setup script which
parsed the extracted text which was vulnerable.

And this is not unique to QR codes -- the correct setup string looked like
"b=USmtPf6GnLZYDuR9&s=PCheX14pPg==&p=AbCD123465". This already looks like
gibberish to most people; if this was replaced with evil string, I am not sure
user would realize that.

------
ben_w
Because it says “powerful” rather than “useful”, I was expecting this to be
about surprising data types rather than business cases.

For example, you can make a data URL containing JavaScript and turn that into
a QR code:

[https://kitsunesoftware.wordpress.com/2017/04/10/executable-...](https://kitsunesoftware.wordpress.com/2017/04/10/executable-
images/)

Some QR code readers execute that JavaScript. (Not all, fortunately).

~~~
acbart
Hah! Reminds me of Piet:
[http://www.dangermouse.net/esoteric/piet.html](http://www.dangermouse.net/esoteric/piet.html)

~~~
pugworthy
Ok Piet is pretty sweet...

------
INTPenis
Remember them? This wednesday I saw a giant QR code 2 meters high at a train
station in Copenhagen.

They're very much in use, everywhere. I fail to see how I'd forget about them.

But without even reading the article I know that QR codes are only as powerful
as the app that parses them. They can't do anything on their own, just convey
a chunk of data to a reader.

I believe they caught on more than NFC because they require so little. Just a
camera, which is already present in all devices. While NFC is a much bigger
decision to implement since its field of use is much more restricted.

~~~
atoav
I think you are right on track with your observation. Another thing I might
add:

QR codes can just be printed, by everybody with a printer. Designers don't
need to think a lot about technical details, they just put the QR code into
their layout and send it off to the printing press (or in fact the screen).

Additionally because QR Codes are optical, it doesn't matter if you stand 20
meters away from the billboard if the QR code is big enough, while with NFC
you would have to come close.

------
jillesvangurp
I put a simple image on my homescreen with a QR code of my contact details
some time ago. One thing I like to do when somebody asks me for my details is
just show them the image and tell them to point their iphone camera at it. On
Android, use Google Lense. The look on their faces when the phone offers to
save the contact is priceless.

Apple only added this feature fairly recently. So, people are mostly unaware
of how convenient QR codes can be. Most people I do this to are completely
unaware their phone can do this and it beats having to fumble with apps and
mobile keyboards trying to figure out email addresses, phone numbers, etc.

If you are interested; just google for qr code generator and contact and you
will find dozens of sites offering that. There are plenty of libraries for
generating QR codes client and server side. You can download them as pdf, png,
svg, etc. I puth the document on my Google drive and created a short cut on my
android phone.

~~~
0x38B
Really cool idea. I used Qrafter[1] to make a QR code from my contact.
Uploaded the image to Google Drive, then dragged a GDrive widget onto my home
screen on my Android phone for quick access to the QR code.

Even cooler, on Sunday made friends with someone just back from teaching
English in China, and at lunch we're exchanging phone numbers and I go, "Wait
a minute..." and opened up the image.

She scanned it and immediately demanded to know how I'd done it. Thanks for
the tip! :)

1: [https://apps.apple.com/us/app/qrafter-qr-
code/id416098700](https://apps.apple.com/us/app/qrafter-qr-code/id416098700)

------
onion2k
_" Nomophobia, the fear of low battery on phones, is virtually nonexistent in
China, thanks to the widespread availability of power bank stations"_

Perhaps I'm more paranoid than other people, but plugging your phone in to a
public USB device seems incredibly dangerous to me. At the very least someone
could have tampered with it to damage the next user's device, and at the worst
it could be cloning your device's entire storage.

~~~
greenleafjacob
You are best off buying a “USB condom”, a USB 2.0/3.0 connector with the data
pins removed.

~~~
MereInterest
The problem there is that the USB standard requires the initial power transfer
to be low amperage, and only switches to the high amperage mode on request,
with the request being delivered over the data pins.

~~~
jandrese
USB condoms include a tiny chip that does the negotiation to get full power.
Sometimes they even work better than the phone itself at getting the charger
to give up the juice.

------
0x38B
I use QR codes to quickly share a URL (or text) with my Android phone from my
iPad.

The Shortcut is simple and easy to use (1). If I wanted to do the same thing
on Android, I'd use Termux (2).

\---

My 'Universal Clipboard' is a text file on a VPS. My devices set or get the
contents via SSH. E.g. Android[Termux SSH] > VPS < iOS[Shortcuts 'Run Script
over SSH']. Comes in handy!

1:
[https://www.icloud.com/shortcuts/2190aca622b948258a9024d8dda...](https://www.icloud.com/shortcuts/2190aca622b948258a9024d8dda78b9f)
2: [https://termux.com/](https://termux.com/)

~~~
rz2k
I used QR odes for the same sort of thing, but Firefox sync has gotten so good
at sending tabs to specific devices, including a desktop that might not have a
convenient camera, that it's even more convenient.

~~~
jraph
In the "now that I think about it, it was silly" category, I "copy pasted" a
mail using QR Codes from the computer to the phone while in a train. I could
send the mail from the phone, but it was more convenient to type it with the
computer.

KDE Plasma provides a QR Code for anything not too big you copy-pasted by
clicking on an icon. "It should be more convenient than using the computer as
a Wi-Fi hotspot for the phone, which is a two clicks operation, right?"

Wrong. It was painful.

We should reuse the idea of Quiet.js, seen today on HN [1], to solve this kind
of situation.

[1]
[https://news.ycombinator.com/item?id=21415946](https://news.ycombinator.com/item?id=21415946)

~~~
raksoras
Shameless plug: [http://zipl.ink](http://zipl.ink) is the bookmarklet I use
for the exact same purpose which also keeps record of the interesting links I
zipped to my phone locally as a nice side effect

------
m-i-l
_" Nomophobia, the fear of low battery on phones, is virtually nonexistent in
China, thanks to the widespread availability of power bank stations"_

Actually nomophobia is more than a fear of low battery - it is a fear of being
without a working mobile phone, e.g. due to loss of phone, poor signal or low
battery. It is more of a psychological condition, and proper treatment is to
address the root cause rather than avoid the situation - it would be like
saying heroin addiction is not a problem because there are heroin dealers on
every street corner.

~~~
qplex
I think this is a valid thing to worry about.

It's almost the same thing as worrying about a car breaking down if you're 100
miles from the nearest town.

Yet we don't have a specific "fobia" for that, because it's really not a
mental disorder to worry about such things.

So many things today depend on having a working mobile phone.

~~~
donclark
Curious to hear your thoughts/experience about the 'many things today depend
on having a working mobile phone'. I often do not carry a phone because I use
my laptop at home/office to do most digital things.

~~~
trothamel
I'd say navigating on long road trips is one of them. While my current car has
a built-in GPS, my previous one didn't, and so I was somewhat dependent on
having a working phone in order to navigate.

Now, only somewhat. I generally know how to get home from where I am, and I
figure if my phone were to fail, I could drive until I could find a gas
station with a map. (Or perhaps a convenience store to get a charger cable or
new phone.)

And of course, this fear (of being phoneless) is just an update of an old one
(of being lost). It's really hard to get lost in the modern world of gps and
data.

~~~
roywiggins
You don't _need_ GPS to navigate, but without one you'll want to own a decent
map.

Before GPS people just carried paper maps in their cars. It's harder to find
paper maps at a gas station now, but if you're preparing for a long road trip,
it's not a terrible idea to just bring along a paper map to start with.

~~~
Jach
There was also an intermediate period between everyone using paper maps and
everyone using GPS. I didn't get my first phone until I was 23, before that
for trips I just printed out the google maps directions and some map
screenshots of nearby areas to the destination or stops along the way. Usually
didn't even need that because the US interstate system is well labeled with
road signs. These days I like an online maps navigation just to tell me about
upcoming slowdowns or better routes, find the cheapest gas stations, etc.

------
Tomte
> Because every scan is linked to the shopper’s online profile, the store
> collects valuable data to personalize its customer experience.

No, thank you.

~~~
lol768
>No, thank you.

Do any shoppers actually want this? I have legitimately never walked into a
supermarket and thought "Gee, the experience today just wasn't as personalised
as it could've been. I'll go elsewhere next time".

~~~
netsharc
I was in an airport in China, in the departures area. They had a screen
showing a live video from a camera pointing at passer-bys, it said "Stand
here, we'll scan your face and tell you how to get to your gate". I did, and
it showed my name and where to go. But, when did I link my face to my boarding
pass and agree to this "commercial" use by the airport?

Before you enter China there are machines where you scan your passport, face,
and fingerprints, so that's how they link faces to identities, but the example
above shows the government gives this info out to... at least airport
operators, but whom else?

~~~
ricardobeat
They don't need to give it to anyone, since they already operate everything.

------
andrewstuart
Surprises me that YouTube videos don't use them - instead the YouTubers say:
"click the link in the description" but I am always using a console to watch
YouTube on TV from my couch, so I _never_ click their link.

Also free to air television never uses them.

Also I've never seen one used on the giant screen at a sports game or concert.

Also they could just be used for paying for anything at the checkout.

------
matt_the_bass
My understanding of QR code’s is that they just are a machine readable string
and that string is usually a URL. The phone then is responsible for parsing
the string and doing something (like launching a browser/url or other
installed app). So users are not paying by QR code, users are paying via a web
app and Using the QR code to input the url for that app/item/quantity etc.

Is my understanding incorrect?

~~~
jakub_g
Correct. My (wild guess) understanding is that QR codes took off in China
because of widespread usage of WeChat, which is a do-all mobile app, including
payments etc.

If your QR code requires user to create an account in _your_ webservice or
install _your_ native app to do anything useful, it does not bring much value,
unless everyone around has your native app.

Whereas if you integrate via a an app widely used by all people in the country
(i.e. the QR code is a URL which opens the widely used app with certain
parameters), you're more likely to have people use it.

Classical chicken-and-egg problem and a situation where monopolies do better
than a fragmented market.

~~~
godot
That's one use case; the other use case that's less talked about is when you
use an app where you need to log in on more than 1 device. WhatsApp and
WhatsApp Web's QR login is a good example. One of my side projects,
[http://karaoke.house/](http://karaoke.house/) does something similar as well.

------
novok
QR codes are not good for high throughput situations, like subway gates
although:

[https://atadistance.net/2019/08/13/transit-gate-evolution-
do...](https://atadistance.net/2019/08/13/transit-gate-evolution-do-qr-codes-
suck-for-transit/)

But China is in love with the QR code, so who knows how many years or decades
it will take them to make their subway gates use fast NFC payments.

~~~
s_dev
Both have advantages that make them complimentary identifiers and not actually
that competitive with each other. Ultimately they promote each other rather
than consuming each others market share and I see both last years and years in
to the future.

You can print a QR on paper. You can't do that with NFC.

NFC works in low light conditions -- QRs typically don't. NFC chips have
allocated uids -- QRs are mutable. NFC is expensive and QRs are cheap. QRs are
universal while NFC is tightly controlled.

~~~
ryukafalz
>NFC chips have allocated uids -- QRs are mutable.

NFC is mutable too; the low-cost unpowered chips you'll buy are mostly write-
once read-many, but an NFC device with host card emulation can largely be
whatever you want it to be. I suppose it's analogous to a QR code displayed on
a screen vs. a printed QR code.

~~~
s_dev
>but an NFC device with host card emulation can largely be whatever you want
it to be.

Nope -- even host card emulation can't emulate the UID for obvious reasons.
Hence making it controlled.

~~~
ryukafalz
Well sure, but it can emulate just about everything else. And if you're
depending on the UID not being spoofable, well...

[https://www.aliexpress.com/popular/nfc-card-writable-
uid.htm...](https://www.aliexpress.com/popular/nfc-card-writable-uid.html)

------
_ph_
In short: QR codes are a great way of connecting arbitrary physical items with
your smartphone and as a consequence with any kind of web service. A bit
similar to NFC, but with some important differences: they don't require any
electronics, work at any range (just make the QR code large enough) and they
can be done either by print or displayed on a screen. Additionally, when
scanning the QR-code, the user can see the URL it translates to. (Doesn't have
to be URLs, but that is probably the most common usage).

I am surprised, not more business cards have QR-codes printed on them with the
important contact information. But for my personal use, I have a QR-code
containing my email address as a picture on my phone, so I can display it for
anyone to scan whom I want to give my address to.

------
michaelt
_> Tip bar staff [...] Scan and shop anywhere [...] digital public
transportation cards_

The thing that surprises me here isn't the success of QR codes, but the
failure of NFC (and to a lesser extent Bluetooth) which was practically
_designed_ for paying with your phone.

How did NFC lose out to QR codes at _the application it was designed for_? Was
it a reliability problem? Were the APIs too locked-down for anyone to be able
to work with them?

~~~
jononor
iOS for many years did not expose generic NFC functionality. I don't know if
it is properly available even now? This meant that it was impossible to have
the same user experience on iOS and Android - a serious problem for any
product that would have NFC a key interaction targeting both these platforms
(as most western things do).

~~~
petepete
To be honest I bought a Galaxy Nexus in 2011 with NFC and the promise of
payment functionality, but I only got Android Pay (here in the UK) in 2017
when my bank, NatWest, decided to add support.

~~~
martin_a
German Banks are somewhat behind on this, too. So I added a PayPal account and
put my bank information there. Works like a charm.

------
cyborgx7
It's still strange to me that android doesn't come with a simple qr reader.
They did the right thing with the thousand crappy flashlight apps, and just
integrated the functionality in the OS. They should do the same with QR code
scanning.

~~~
quelltext
Actually, I don't know which version they started but on my Pixel it's built
into the Camera as well as the Lens app.

When you point your phone camera to a QR code it'll show a description/link.

~~~
lozf
Same on my few years old MotoG4 ... but not a friends much newer Sony Experia.

QR codes are really handy for connecting to Wifi, I have a shell alias that
runs:

    
    
        qrencode -t utf8  "WIFI:T:WPA2;S:<Basestation-SSID>;P:<SecurePassw0rd>;;"

~~~
muxator
Nice! How do you consumer it on your phone (I suppose)?

Is "WIFI:..." automatically passed to the network intent?

Edit: just tried in ZXing QR code scanner on Android, I was too curious.

After scanning the code, the proposed action that appears in the bottom part
of the screen is "connect to network".

It just works! Super useful, thanks!

------
pacificleo12
Alan Zhang of WeChat was prophetic when he said: “The entry point for PC
internet is the search box. The entry point for mobile internet is the QR code

------
dexen
Always reminds me of the "Pictures of People Scanning QR-codes" blog

>[https://picturesofpeoplescanningqrcodes.tumblr.com/](https://picturesofpeoplescanningqrcodes.tumblr.com/)

------
pmoriarty
I just found "The Barcode Book" in my local library, and it was pretty cool to
see dozens of different barcode schemes out there, all with different
properties. The world of interesting, useful barcodes is much larger than QR
codes.

------
sriku
++ India. QR codes are everywhere for payments due to NPCI's (national
payments commission of India's) efforts with instant payments. Shops small and
big today display a QR using which you can pay bank to bank without
credit/debit card charges and interoperability between payment processing
companies like Paytm is mandatory.

The ad network and renting bikes and more recently charging electric scooters
cases are also catching on.

------
g8oz
>>>"At scenic sites and public spaces nationwide, toilet paper is BYO. Those
who come empty-handed can do a QR code or facial recognition scan to receive
up to 31 inches of toilet paper."

So hold on, if I don't have a working phone, I can't wipe my ass?

------
Causality1
I think the biggest problem QR codes had when it came to adoption is that
phones, by default, don't come with software to read them. If every OEM camera
app could read QR codes I think they'd be much more common.

~~~
FanaHOVA
iPhones do it now, as well as some newer Android phones. They problem is that
they don't tell you that :)

------
nikkwong
I find Vxiaocheng's use of QR to be super interesting and something that I'd
think is worthwhile to work on; QR reading is now native in android + iphone
camera apps and this is an itch I've been looking to scratch for a long time.
Anyone interested? I would think of expanding the application to restaurants,
libraries, etc. I would be comfortable with design + engineering + product
while mostly looking for a business developer to sell the product to
customers.

~~~
jimminator7
let’s chat. i’ve tried a couple qr-related early stage ideas this past year.

------
nayuki
Same link a day ago:
[https://news.ycombinator.com/item?id=21398697](https://news.ycombinator.com/item?id=21398697)

------
ricardobeat
Many, many years back (2011?) I and a few friends applied to YC with an eye on
use cases like 1/8/12, but mostly focusing on enabling quick interactivity
with storefront displays, billboards, and public screens in general.

We didn't go through (our video was awful) and never carried on the idea, but
almost a decade later I still feel there is a ton of yet-to-be-unlocked
potential in this!

------
bryanlarsen
Just as much an enabling technology as QR codes is the ubiquity and openness
of WeChat/AliPay/Taobao, in my opinion.

------
matheusmoreira
QR codes can also encode binary data. With structured append it's even
possible to encode larger amounts of data as a series of QR codes. Open source
decoders don't seem to support these features though. Could've been a great
way to transfer small files.

~~~
kalleboo
I've seen this show up on Hacker News before - transferring data via an
animated series of QR codes
[https://github.com/divan/txqr](https://github.com/divan/txqr)

~~~
matheusmoreira
Awesome project. I see it is based on ZXing. Do you know if it decodes binary
data? I see there's support for multiple error correction levels in the
qr/qr.go file but I don't see anything related to encoding modes, binary or
otherwise. I assume it is defaulting to alphanumeric encoding.

I'm asking because I'm not sure if ZXing supports decoding binary data to
begin with. I know zbar doesn't: current versions seem to mangle the output by
trying to convert it to UTF-8. I haven't tested ZXing yet.

Also, is it using structured append mode or simply reading normal QR codes in
a series and concatenating the data? Structured append mode QR codes have
metadata such as an identifier for the sequence they're part of and as well as
their position within it.

------
santojleo
I’ve contemplated a startup that eliminates “checking in” a doctors office
using paper or worse, a shared tablet, via QR code to personal smart phone
form. Have at it hackers.

------
jcmontx
I'm currently working on a QR product for small business and companies. I hope
to launch in 6 weeks in my home country.

QRs are truly powerful.

------
jakeogh
TIL you need to provide ID for TP in China.

------
megaremote
The rent-a-gym, I guess the west solves that by having gym equipment in a
park? An interesting solution to a busy city.

------
ldiracdelta
I'd guess that they're not used more in the US because of patent trolls.

------
jstewartmobile
every post from a16z makes me hate my own profession.

------
graciousbeast
This is a fantastic post. I particularly love the analysis about how QR codes
have been underestimated in the US market. Great work by Avery Segal! He's
been doing some great things at a16z. Rising star in tech!

------
emilfihlman
QR codes are awful at usability. Shortlinks are much, much better.

~~~
_def
I don't think that an average user wants to type in cryptic urls rather than
simply scanning a code. At least, if they know what to do. But I don't know
how the adoption rate for QR code scanning is. Do the stock android camera app
and the ios camera support QR codes yet?

~~~
emilfihlman
No, Android has no built-in support.

And if you break your camera, you can't use QR-codes. Happened to me with
Whatsapp Web.

Like I said, QR-codes are awful at usability and have extreme pitfalls.
Shortlinks are quick, fast and concise and they take much less space.

Also, shortlinks does not mean "cryptic urls". For example slush.org/L01 is
much, much better and faster than some QR-code, it's wayyyy more accessible
and also more shareable. You can also tell about it to people with just words
that they can easily remember.

------
reportgunner
What is this garbage top 10 article? I could as well say _Remeber 1 and 0 ?
They 're more powerful than you think since all computers use them to store
your virtual copy._

~~~
robjan
I think they are talking about its usefulness as a cheap, easy, quick
interface between computers and the physical world.

~~~
reportgunner
Oh if they'd said _useful_ I would stay quiet. The word they used was
_powerful_

I mean QR codes are just an encoded link, right ? What is the big deal ?

~~~
rootusrootus
> I mean QR codes are just an encoded link, right

Encoded data. Could be a link. Could be WiFi credentials. Payment information.
Any sort of identification code. Etc.

