Securely connect Bluetooth device to Android

Question

I am developing a device that needs to communicate securely to an Android app via Bluetooth. I need that only a predefined phone to be able to communicate with my device for security reason. And I also need to assure that this is not an intruder device that is trying to communicate falsified data to the app.

Looking at Bluetooth specs, I had the impression the only way to do that is with out of band (OOB) authentication with a pre-provisioning temporary key (TK). This looked very promising but after trying to find how to use OOB on an Android app, it seems like it is not supported.

Is it still possible to use OOB authentification on Android ?

If no, is there another alternative to solve my issue ?

Answer 1

This is doable but it depends on the BLE peripheral that you are developing and the features that it supports. Namely, your device needs to support Whitelisting and bonding. This is how it should work.

1. Upon first connection to the BLE device, the BLE device should accept the connection regardless.
2. Once the connection is made, the central device (Android phone) needs to initiate bonding. This doesn't need to be Out of Band (OOB) bonding, and the standard Just Works bonding should do.
3. Once bonding is succesful, the BLE peripheral should add the Android device's IRK to the list of whitelisted devices.
4. From this point onwards, the BLE peripheral will activate the whitelist, and therefore only devices in the whitelist will be able to connect to your BLE peripheral, and in your case it will be the Android phone that you used to make the very first connection.

It is not straight-forward and requires an initial secure-less connection with the target phone, but if that is not an issue then this should work.

You can find more information about this in the links below:-

• Set and activate whitelist with Android phone
• Android BLE server - allow only previously connected device to connect
• Whitelisting with resolvable random addresses