• State Not Answered
  • Replies 3 replies
  • Subscribers 73 subscribers
  • Views 5131 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 102762
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

how to establish secure connection between Android and nRF?

Gilson

Hello Gentlemen,

I'm developing an Android App that needs to connect to nRF. The nRF sensor does not have keyboard, display or buttom.

But we can have OOB which is a type of secret key generated during assembly.

As long as I don't require pairing everything works great but that is a problem for the business since occasional snoopers can hijack the sensor and my App cannot connect to it. I'm not concerning about hackers with sniffers but just the occasional snooper that is playing with his phone and happens to try to connect to our sensors to see what happens.

My problem is that I don't know how to make Android use the OOB. If I declare that my sensor has a keyboard I see that Android generates a random passkey but I don't have a way to type it on the sensor side.

So either I fake Android capabilities to "keyboard only" to allow me to enter a PIN number programmatically using the OOB or I need to figure how to enable OOB during pairing.

my nRF parameters are set as follows:

m_sec_params.timeout      = 30;
m_sec_params.bond         = 1;
m_sec_params.mitm         = 0;
m_sec_params.io_caps      = NONE;
m_sec_params.oob          = 1;  
m_sec_params.min_key_size = 7;
m_sec_params.max_key_size = 16;

and the handler is ready to send the OOB data as follows:

    case BLE_GAP_EVT_AUTH_KEY_REQUEST:
        PRINTF("ble_gap_evt_auth_key_request\r\n");
        sd_ble_gap_auth_key_reply(m_conn_handle, BLE_GAP_AUTH_KEY_TYPE_OOB, OutOfBandData);
        break;

An example would be greatly appreciated.

Parents
  • FormerMember
    0 FormerMember

    The only difference between the bonding methods (Just works, display-keyboard, OOB, etc) is the security during the bonding process; when using display-keyboard, OOB, or any other MITM "process" you can make sure that there is no man-in-the-middle (MITM) attacs. However, the security of the encryption will be the same both with and without MITM bonding. Therefore, if there is no security concern during bonding, "just works" will be as good any of the other bonding "methods".

    If you don't want anybody else to be able to connect to your device, you can use whitelist. If using whitelisting, you can limit the number of phones/centrals that can bond to the device.

Reply
  • FormerMember
    0 FormerMember

    The only difference between the bonding methods (Just works, display-keyboard, OOB, etc) is the security during the bonding process; when using display-keyboard, OOB, or any other MITM "process" you can make sure that there is no man-in-the-middle (MITM) attacs. However, the security of the encryption will be the same both with and without MITM bonding. Therefore, if there is no security concern during bonding, "just works" will be as good any of the other bonding "methods".

    If you don't want anybody else to be able to connect to your device, you can use whitelist. If using whitelisting, you can limit the number of phones/centrals that can bond to the device.

Children
  • 0 in reply to FormerMember

    Kristin, Maybe I did not make myself clear. I want to enable security during the bonding, encryption of the message comes later I understand. "just works" is NOT as good, I need to come with a way to set the PIN programmatically or OOB.

    I really need an example of Android using OOB, I see people here asking for examples and I would like to suggest for Nordic to provide examples showing the 3 different methods. Let the business developers decide for themselves. Sometimes we have to talk to our marketing department before we make the decision, it is not always developers choice until there is road block.

    Is there an Android-nRF sample that demonstrates OOB use ?

  • FormerMember
    0 FormerMember in reply to FormerMember

    The bonding process consits among others of the exchange of the encryption keys, and when the bonding process is finished the link is encrypted. You can see this if you use our sniffer to track what is being sent of the air. The sniffer can be downloaded here: www.nordicsemi.com/.../26386

    The keyboard in our reference design "nRFready Desktop 2" uses OOB, but I don't think it has been tested on Android.

Related
Terms of service