Common Timezone Bugs in Qr Code Apps: Causes and Fixes
Timezone bugs in QR code apps usually happen when the app mixes display time, validation time, and storage time without a clear contract.
What causes timezone bugs in QR code apps
Timezone bugs in QR code apps usually happen when the app mixes display time, validation time, and storage time without a clear contract.
Common technical root causes:
- Storing local time instead of UTC: A ticket created in London and scanned in New York may shift by five hours if the server stores
2026-07-04 18:00:00without a timezone. - Parsing ISO strings incorrectly:
"2026-07-04T18:00:00"is ambiguous. It is not the same as"2026-07-04T18:00:00Z"or"2026-07-04T18:00:00+01:00". - Using the device timezone for validation: QR scanners often run on user phones. If validation depends on
new Date()in the device timezone, two users can get different results for the same QR code. - Confusing event-local time with UTC: Concerts, flights, classes, and reservations should often be valid in the venue’s timezone, not the user’s timezone.
- Daylight Saving Time gaps and overlaps: A “one-day pass” may become 23 or 25 hours long if DST changes are ignored.
- Offline validation without clock tolerance: Airport, stadium, or parking QR scanners may validate offline. Small clock drift can reject valid passes or accept expired ones.
- QR payload expiration mismatches: Dynamic QR codes for payments or authentication may include
exp,iat, ornbfclaims that are calculated in different timebases.
Real-world impact
Timezone bugs in QR code apps are visible to users at the worst possible moment: checkout, boarding, entry, or payment.
Typical outcomes include:
- Users denied entry: A valid ticket shows “expired” because the scanner interpreted the expiry in UTC.
- Expired tickets accepted: A coupon or parking QR code remains valid past its intended cutoff.
- Support spikes: Users send screenshots saying, “My pass says 11:59 PM but your scanner says it expired.”
- Bad store reviews: QR apps get punished quickly because one failed scan can block travel, payment, or event access.
- Revenue loss: Restaurants, venues, airlines, and retailers lose transactions when QR payments or coupons fail.
- Operational delays: Gate staff, cashiers, and support teams need manual overrides when QR validation is inconsistent.
- Security risk: Payment QR codes, login QR codes, and session tokens can become vulnerable if expiration logic is wrong.
7 ways timezone bugs manifest in QR code apps
- Event tickets expire one hour early or late
The QR payload stores event end time in local time, but the scanner validates it using UTC or the user’s device timezone.
- Boarding passes show the wrong departure time
The issuer stores departure time as "2026-05-10T09:30:00" without the airport timezone. A traveler in another country sees a shifted time.
- Coupons fail at midnight in the wrong region
A coupon valid “until end of day” is calculated using the server timezone instead of the store or customer timezone.
- Dynamic payment QR codes expire too soon
The backend sets exp in seconds, but the mobile scanner treats it as milliseconds, or the issuer and scanner use different clock assumptions.
- Parking QR passes reject users during DST changes
A two-hour parking session spans a DST transition. If the app adds fixed minutes instead of using timezone-aware duration logic, the pass may expire incorrectly.
- Multi-day passes lose one day
A pass valid from July 4 to July 6 is stored as UTC instants at midnight. In some timezones, the user sees July 3 or July 7.
- QR login or approval flows fail across regions
A login QR code generated in one region expires before the user scans it because the client and server clocks are not synchronized or lack skew tolerance.
How to detect timezone bugs
Use tests that intentionally break timezone assumptions.
- Run unit tests across IANA timezones: Test
America/New_York,Europe/London,Asia/Kolkata,Australia/Sydney, andPacific/Auckland. - Test DST boundaries: Validate QR passes before, during, and after DST transitions.
- Compare server time, device time, and venue time: Log all three during QR validation.
- Use property-based tests: Generate QR payloads with random valid-from, valid-until, timezone, and scanner-location combinations.
- Run mobile tests with emulator timezone changes: Change the device timezone while the app is open and rescan the same QR code.
- Check QR payload schema: Ensure dates are encoded as UTC instants, ISO 8601 with offsets, or explicit IANA timezone fields.
- Review scanner verdicts: Look for inconsistent PASS/FAIL results when the same QR code is scanned from different regions.
- Use autonomous QA for flow coverage: A tool like SUSA can upload an APK or web URL, explore QR purchase, scan, payment, and redemption flows, then generate Appium or Playwright regression scripts for CI.
What to look for:
- Validation changes when only the device timezone changes.
- Expiry text differs between issuer and scanner.
- QR codes fail near midnight.
- “Valid today” passes behave differently across regions.
- Offline scanners reject codes that backend validation accepts.
How to fix each example
| Bug | Fix |
|---|---|
| Event tickets expire early or late | Store validation instants as UTC epoch milliseconds or seconds. Display event time using the venue timezone. |
| Boarding pass times shift | Store departure as an ISO 8601 instant with offset or UTC epoch, plus a separate display timezone field. |
| Coupons fail in the wrong region | Define the coupon’s applicable timezone: store timezone, customer timezone, or campaign timezone. Do not default to the server timezone. |
| Payment QR codes expire too soon | Use a single timebase for exp, usually Unix seconds. Add clock-skew tolerance, such as 30–120 seconds. |
| Parking passes break during DST | Use timezone-aware libraries and IANA zones. Avoid adding fixed 24-hour blocks for “calendar days.” |
| Multi-day passes lose a day | Store start and end as local dates plus the event timezone, then convert to UTC instants for validation. |
Test Your App Autonomously
Upload your APK or URL. SUSA explores like 10 real users — finds bugs, accessibility violations, and security issues. No scripts.
Try SUSA Free