• State Not Answered
  • Replies 3 replies
  • Subscribers 73 subscribers
  • Views 5129 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 102762
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

how to establish secure connection between Android and nRF?

Gilson

Hello Gentlemen,

I'm developing an Android App that needs to connect to nRF. The nRF sensor does not have keyboard, display or buttom.

But we can have OOB which is a type of secret key generated during assembly.

As long as I don't require pairing everything works great but that is a problem for the business since occasional snoopers can hijack the sensor and my App cannot connect to it. I'm not concerning about hackers with sniffers but just the occasional snooper that is playing with his phone and happens to try to connect to our sensors to see what happens.

My problem is that I don't know how to make Android use the OOB. If I declare that my sensor has a keyboard I see that Android generates a random passkey but I don't have a way to type it on the sensor side.

So either I fake Android capabilities to "keyboard only" to allow me to enter a PIN number programmatically using the OOB or I need to figure how to enable OOB during pairing.

my nRF parameters are set as follows:

m_sec_params.timeout      = 30;
m_sec_params.bond         = 1;
m_sec_params.mitm         = 0;
m_sec_params.io_caps      = NONE;
m_sec_params.oob          = 1;  
m_sec_params.min_key_size = 7;
m_sec_params.max_key_size = 16;

and the handler is ready to send the OOB data as follows:

    case BLE_GAP_EVT_AUTH_KEY_REQUEST:
        PRINTF("ble_gap_evt_auth_key_request\r\n");
        sd_ble_gap_auth_key_reply(m_conn_handle, BLE_GAP_AUTH_KEY_TYPE_OOB, OutOfBandData);
        break;

An example would be greatly appreciated.

Parents
  • FormerMember
    0 FormerMember

    The only difference between the bonding methods (Just works, display-keyboard, OOB, etc) is the security during the bonding process; when using display-keyboard, OOB, or any other MITM "process" you can make sure that there is no man-in-the-middle (MITM) attacs. However, the security of the encryption will be the same both with and without MITM bonding. Therefore, if there is no security concern during bonding, "just works" will be as good any of the other bonding "methods".

    If you don't want anybody else to be able to connect to your device, you can use whitelist. If using whitelisting, you can limit the number of phones/centrals that can bond to the device.

  • FormerMember
    0 FormerMember in reply to FormerMember

    The bonding process consits among others of the exchange of the encryption keys, and when the bonding process is finished the link is encrypted. You can see this if you use our sniffer to track what is being sent of the air. The sniffer can be downloaded here: www.nordicsemi.com/.../26386

    The keyboard in our reference design "nRFready Desktop 2" uses OOB, but I don't think it has been tested on Android.

Reply Children
No Data
Related
Terms of service