Heavy scanning activity from Android (and iOS) devices might prevent connecting to BLE GAP Peripheral

Web BLE API requires users to actively select Scan for devices, where Chrome popup shows on top of the screen showing devices. A website can't scan on it's own. Also, as far as I know web-ble is still by default disabled feature (?) in Chrome and needs to be enabled in flags config. developers.google.com/.../interact-with-ble-devices-on-the-web

I totally agree that Web BLE API shouldn't be any danger in terms of DOS (it will provide other attack vectors;), because even if you would stay for longer time on such web site and enabled access to BLE it would hardly achieve such activity from generic BLE chip set. These DOS scenarios described by me above (flooding adv. channels or connecting to every ADV_IND packet which comes around) are already difficult if you run it as embedded application on nRF5x chip and SD S13x, you would most likely need several such fixtures to really block the Peripheral. Web BLE API could disturb BLE app (especially if it isn't designed properly) but I don't think that's worth writing an script by some kiddie;)

Thanks Aleksander

I have not upgraded to Android 6 yet, to use the Web BLE API, but my understanding was that the user had to approve it once, but I don't think this is much of a barrier as most users just click Yes when asked to turn on Bluetooth. And I'm not sure if its once per page or just Once per every time Chrome is run.

I'm not sure if this feature will always off by default. The settings were in the experimental section of the currently released version of Chrome for Android, but I can't see them in the Chrome Beta App, so I presumed that in the next release (i.e when the beta gets released) that this feature will be On by default.

BTW. On iOS, it will scan in the background, but it appears to slowly increase the interval between each scan, the longer you leave it scanning. However its easy to stop the scan and start it again e.g. every 15 seconds, even in the background

It's not only that on Android 6+ user must grant the location permission to an app (BLE scanning requires a runtime location permission, Bluetooth permission is granted automatically). A web can't just scan in background without user knowing it. Scanning will show a popup (like one shown on the link I gave above) and will scan for few seconds. I guess even on CES or other shows like this where WiFi and Bluetooth are everywhere and people are walking around and scanning it is not that terrible. Although I have never been there, just heard that there were problems with connectivity but now not complete DoS. And this is a kind of an extreme environment. Btw, if you want to block BLE it's best to use a good WiFi router that takes all space available. BLE nodes are too lazy in doing so.

Hi, How to use Out of Band to send address of the central to our peripheral ?