I m currently working on iOS BLE application. To secure the connection between the smartphone which is in Central mode and the head unit which is in peripheral mode we need to implement TLS protocole over BLE.
To send the certificate which is big data for BLE we will use a segmentation protocole.
We need to use TLS because we can't be hack easily on our system and BLE 4.2 which is more secure than 4.0 is not implement in enough phone.
I have see that secure transport allow to make TLS on iOS (https://developer.apple.com/reference/security/secure_transport) and I have not see that I can't implement it over BLE.
Did someone have already implement TLS with secure transport?
If yes can he explain me how I can use it in my case? Or if I can't use it can he explain me why?
Related
After several days of research about how to use Secure Transport i found that all the example and projects are working with BSD sockets and Streams.
In Apple documentation there is no statement confirming or denying the possibility of applying TLS over Core Bluetooth.
I have tried in many ways to establish a TLS session between two iOS devices that exchange data via Core Bluetooth. However i always get error -9806 every time i call the SSLHandShake() method.
In almost every example, a BSD Socket should be configured and connected before starting TLS HandShake.
Once the Socket is connected, Secure Transport exchanges automatically the TLS settings between two peers after calling SSLHandShake() method.
I suppose that Secure Transport supports BSD Sockets when it comes to establish a TLS HandShake. I did not find any solution to make Secure Transport exchange TLS settings between two peers connected via Core Bluetooth (BLE).
Is it possible to establish a TLS session between two iOS devices that have been connected via Core Bluetooth ? Should i forget about Secure Transport and implement TLS protocol (over Core Bluetooth) by myself without using Secure Transport ?
Thanks :)
I am currently developing an application which allows two establish a TLS session between two iOS devices.
The session is established between a Centra and a Peripheral that communicate via BLE (Core Bluetooth) library.
The server must hold the certificate and send it to the client which will validate it.
Does Apple's Secure Transport library handle all this automatically ? Is there any example for establishing a TLS session between two iOS devices ?
Thanks.
According to this document and this whitepaper, there are security measures designed to prevent passive eavesdropping a Bluetooth BLE connection. Is there a way to implement the secure connection between an iOS central manager and a peripheral device?
Specifically, I'm looking to implement "Just works association model". I want to know if it is possible with an iPhone.
For BLE connections, iOS supports "Just Works" and also "PIN" based pairing.
For Out-of-band (OOB) pairing, there is no public iOS API (albeit a private one that Apple uses itself for Handoff amongst other things, to seamlessly pair two Apple devices without user interaction.)
Note that both "Just Works" and "PIN" pairing is somewhat broken. If an eavesdropper were to listen in on the initial pairing process, it could brute force the exchanged keys easily.
iOS 8.2 added support for BT 4.2, which includes various improvements for BLE pairing and security in general. I haven't looked what parts iOS 8.2 supports though.
To kick off pairing:
an app that is using the peripheral needs to be in the foreground (this can be iOS' Settings)
after connecting,
send the "Slave Security Request" command from peripheral side (see the Bluetooth Specification),
or,
access a "protected" characteristic on a service implemented either by the peripheral or by the app -- this will make iOS automagically initiate the pairing process if the device was not yet bonded. This is what Apple recommends.
EDITED:
According to the table under Step 4 in this link, because your Central (smartphone) has both Keyboard and Display, the only way to perform Just Works pairing is if the sensor has no input and no output capabilities.
So, to do that, you must configure the sensor to send a Pairing Response with the IO Capabilities set to NoInputNoOutput.
That will force the Central (your iOS device) to perform Just Works pairing.
Is there anyway to disable the pairing message in iOS for a bluetooth device? The device I'm connecting to does not require any security and there is no pairing mechanism in place so having the message pop up is not needed. Any suggestions?
To confirm Paulw11's comment above a Pairing prompt will be displayed in iOS when a device is connected and any type of encryption is requested during the connection or encryption is required when writing to a characteristic.
If the user clicks "Cancel" the encryption will not be enabled for the connection, but the connection will not be terminated. If you click "Pair" encryption will be enabled and the connection will also persist.
There is no way to listen or interact with the pairing prompt via the base iOS configuration through the CoreBluetooth Framework. I've talked with Apple about this and done lots of digging. There may be a way to do this through the MFI program, but obviously we can't talk about that.
My iOS app is connected and exchanging sensitive data with a BLE accessory, I want the data communication to be secured so I use an encrypted BLE connection (=paired).
But is there a way for my app to be the only app that can receive the data from the accessory?
I want to make sure it is not possible for another app running in the background to receive the data sent by the accessory.
Core Bluetooth will provide access to any apps that are on the device but if you implement your communication using additional authentication or encryption, then it will be harder for other apps to make successful connections to the peripheral.
I think it helps to think of the peripheral as an ssh server. Anyone can open a connection to it but they will be connected only if the correct credentials are provided to the server. Your peripheral should work similarly. The required method for the authentication depends on your requirements.