I am developing a device that needs to communicate securely to an Android app via Bluetooth. I need that only a predefined phone to be able to communicate with my device for security reason. And I also need to assure that this is not an intruder device that is trying to communicate falsified data to the app.
Looking at Bluetooth specs, I had the impression the only way to do that is with out of band (OOB) authentication with a pre-provisioning temporary key (TK). This looked very promising but after trying to find how to use OOB on an Android app, it seems like it is not supported.
Is it still possible to use OOB authentification on Android ?
If no, is there another alternative to solve my issue ?
This is doable but it depends on the BLE peripheral that you are developing and the features that it supports. Namely, your device needs to support Whitelisting and bonding. This is how it should work.
Upon first connection to the BLE device, the BLE device should accept the connection regardless.
Once the connection is made, the central device (Android phone) needs to initiate bonding. This doesn't need to be Out of Band (OOB) bonding, and the standard Just Works bonding should do.
Once bonding is succesful, the BLE peripheral should add the Android device's IRK to the list of whitelisted devices.
From this point onwards, the BLE peripheral will activate the whitelist, and therefore only devices in the whitelist will be able to connect to your BLE peripheral, and in your case it will be the Android phone that you used to make the very first connection.
It is not straight-forward and requires an initial secure-less connection with the target phone, but if that is not an issue then this should work.
You can find more information about this in the links below:-
Set and activate whitelist with Android phone
Android BLE server - allow only previously connected device to connect
Whitelisting with resolvable random addresses
Related
I am new to Android programming and was wondering if it was possible to connect an Android device with a BLE Peripheral, without needing an App.
I am experimenting with the Node.js package "bleno" for the peripheral and connecting using an app and even a webapp are working just fine, but connecting using the standard android settings functions dont work. The device does find my peripheral after scanning but when I try to connect with it it always returns that I need an app.
Is this a problem of bleno or does this not work that way in generell?
If the peripheral has for example a HID GATT service exposed, then you can pair and connect to it through the system settings. This means BLE keyboards and mice can be used without any app.
If your peripheral only has custom services or only services the OS knows nothing about, then you will need some app to connect to it.
Well, the following situation: Devices need to communicate offline. The only option is Bluetooth. Here, the issue is that Bluetooth's encryption is insecure and broken. See KNOB attack.
Therefore, I'm looking for a way to securely exchange data between two bluetooth devices (e.g.,Android and iOS). My current guess is to establish a TCP/IP connection to make use of typical SSL/TLS libraries with all its other advantages (certificate check etc.) and disable bluetooth's encryption for performance increase.
https://developer.android.com/reference/android/bluetooth/BluetoothSocket
Unfortunately, it appears that this idea is already not supported by Android. They do offer some sort of BluetoothSocket, but that is not a TCP/IP connection afaik. Does anyone know a way to enable a TCP/IP connection between two bluetooth devices? Any other idea to secure that broken bluetooth connection?
Answer is yes. Nevertheless, there is no usable API on Android (before Android 9 via reflections maybe) and it still has the hide annotation on Android 11 in its source code, besides the requirement of a special permission to be used by system apps only.
The only option is to enable Bluetooth tethering via system settings (if available). Next devices connecting over Bluetooth will get an IP address, while the smartphone acts as the router. The access of services on the smartphone is permitted.
I'm working on an android app where one user can connect to another person who has the same application, via Bluetooth connection. This peer-peer connection, only should allow persons with the same application to be able to discover your device and connect to it. Is it possible to 'mask' your device and only allow a device that has the same application that is being used for communication to discover your device?
As far as I know, this is not possible. As soon as you start advertising your device is visible to all bluetooth devices. You would need to implement an authentication after the connection was established and then drop the connection if a device cannot authenticate itself.
I can't find any documentation on Android Wear that shows how to create an app that leverages the fact that some watches (like my Samsung Galaxy Gear) can now connect directly to the internet via wi-fi when the phone is not around.
I have a few apps that generate https requests to access a REST service and I would like to know if these can be directly called from a Wear app connected to wi-fi (no phone).
Similar questions don't seem to answer this:
Direct internet connection on Android Wear?
https://stackoverflow.com/questions/26062487/android-wi-fi-direct-persistent-connection
Android: Establish "Wi-Fi Direct" connection with networked devices
My tests on a Wear emulator tethered to an internet enabled Phone emulator show:
java.net.UnknownHostException: Unable to resolve host "api.xxx.com": No address associated with hostname
But of course there's no direct wi-fi connection on the watch emulator so my next step is to try on a real watch and phone.
My suspicion is that Android Wear's data API handles this transparently so direct http requests seem impossible.
Best, thanks in advance for your help.
Even if Android 5.1.1 support Wi-Fi Feature. Android Wear on Wi-Fi: Using a smartwatch without a phone nearby
You should stick to the Data Layer API, you cannot send http request directly from watch. Fetch internet data from the phone, then transfer it to watch with Data Layer API.
You can see this Does Android Wear support directly access the Internet?
And this document Always-on and Wi-Fi with the latest Android Wear update
From the last update its possible to make http requests over wifi using android wear. You can even connect a bluetooth headphone to it to use with some streaming app.
While on wifi, if your mobile phone is connected to the internet too (dont need to be the same wifi, can be even 3g) it will act the same way it would when bluetooth connected yo our phone, but with its own internet access.
This dont mean apps will change their behavior, because most of them are coded to make the requests from your phone, but if you have an app that make direct networks requests, it will send them from your watch without advising or needing your phone.
How to do networks requests on android wear
Just use the same network requests libraries you would use on a normal Android mobile application, like volley, retrofit, okhttp. The code is exactally the same, and by the way, any Android Mobile library works with Android Wear too.
My applications connects my Android phone to a health device. The health device is capable of connecting using either Bluetooth SPP or HDP profile while my app can only support SPP.
The health device's documentation states that I have to send a special command to the it during the pairing process to make sure that Bluetooth communication uses SPP profile instead of HDP.
Note that I'm not concerned about connection after pairing at all. I need to:
Separate the pairing process from the connections after pairing - I don't mind if users have to authorise pairing through a popup
Be able to send some data to the health device during the pairing process (so that following connections will actually happen)
The Android documentation seems to imply that pairing is implicitly handled as an integrated part of the Bluetooth connections as you call connect() or accept(). However, this and this gives me some hope.
I'd like to support as many devices as possible but 4.0 and above are more important. The health device I'm using supports Bluetooth 2.1 so no worries about PIN.