BLE on Android as Peripheral

1
votes

I am developing an app that controls a product's operation. The communication is via BLE. My configuration is

App - Peripheral (iOS, Android) Product - Central (uses Laird BT900 module)

iOS as a peripheral works fine (pairing and bonding) ; Android PIN pairing works fine, but subsequent bonding (or reconnect when in range) there are a lot of issues and termination of connection. I am using the supported list of devices for Android BLE and I also understand that there are many known issues that come with different manufacturers/chipset vendors

The issue I am getting is, as seen by nrfConnect, is with descriptors. Android app doesnt show descriptors when seen in nrfConnect whereas iOS shows. I do not know what is the difference

  1. Is it a common practice to use a phone as a peripheral ? Or is it a risk - because this is a medical device.
  2. Are there any best practices for Android as a peripheral ?
  3. I have following back up plans in case Android issue is not resolved. I think following would work on any BLE supported phones without having any issues with the variability.

Plan A : PIN pairing on every connection with the product. This is the most secure and most annoying

Plan B : Implement just works pairing with a app layer password before taking control of the product.

Question : Is just works safe and encrypted ? Is it snoop-safe or MITM-safe ?

Thanks in advance!

1
bluetoothbluetooth-lowenergycore-bluetoothandroid-bluetoothios-bluetooth

1 Answers

0
votes

A few thoughts from your questions:

1a. (From my Android experience) I think its uncommon to have the phone be the peripheral. To my knowledge all iOS devices support peripheral mode but only a very small subset of Android devices are able to support it. I say this because I've been experimenting with BTLE beacons using the AltBeacon library. From this work I have discovered that only certain Android phones can broadcast BTLE advertise packets. Given that BTLE advertising is the first step in initiating a BTLE session I imagine that this prevents many Android phones from being compatible with peripheral mode.

If all of your users can use an iOS device, then you're set, otherwise this may be a problem.

1b) I can't speak to the specific risk of using a mobile device with your medical device, that depends on what the medical device is doing and how you're using the mobile app.

2) See 1a

3) The specific encryption scheme you used is also based on your product's risk profile. I would say that Just Works is not an ideal solution. The just works pairing process is not snoop-safe and can be re-initiated via a MITM. Other than that I can't speak to the strength of BTLE encryption.