BLE gatt pairing not working on android 9 google pixel

[mehakzahra1]

I am testing web-auth token mechanism on various devices. I am able to pair it with Samsung s8 plus but it is not working with android 9 SDK 29.

Test device -> Google pixel

[advatar]

Does not work for me either on Pixel 4 Android 10

[fmeum]

Recent mainline versions of Android have restricted access to the FIDO UUIDs to a system permission not available to third-party apps: http://androidxref.com/9.0.0_r3/xref/packages/apps/Bluetooth/src/com/android/bluetooth/gatt/GattService.java#108

You could try whether explicitly granting the BLUETOOTH_PRIVILEGED permission via adb resolves the issue.

[advatar]

Oh, that sucks. So they do not want any competition for software authenticators. I guess that iOS will do the same.

[advatar]

I am not seeing that here https://android.googlesource.com/platform/packages/apps/Bluetooth/+/dbaf9cd/src/com/android/bluetooth/gatt/GattService.java

Not sure what version this is though. It could be 11?

[fmeum]

That link is to an outdated version of the code, the current one is here: https://android.googlesource.com/platform/packages/apps/Bluetooth/+/master/src/com/android/bluetooth/gatt/GattService.java

Based on the message of the relevant commit, this is meant to prevent third-party apps from spoofing U2F application IDs by directly communicating with authenticators. I don't know whether this was also intended to hinder third-party authenticators.

[advatar]

Yes, I read up on it and apparently all BLE services registered will get all the traffic for that service UUID. However I guess that they could provide that system API: "All access to external Bluetooth U2F devices must go through system APIs".

[mehakzahra1]

I tried it on various devices but there is a compatibility issue due to android restriction and BLE chromium updations. In case of explicit BLE pairing, it is still unstable

[kyriakopoulosd]

Recent mainline versions of Android have restricted access to the FIDO UUIDs to a system permission not available to third-party apps: http://androidxref.com/9.0.0_r3/xref/packages/apps/Bluetooth/src/com/android/bluetooth/gatt/GattService.java#108

You could try whether explicitly granting the BLUETOOTH_PRIVILEGED permission via adb resolves the issue.

So currently none managed to have this app to be working?

Furthermore, can you help if I'm missing something ?

1.Im running this app on my Galaxy S10+ 2.I've turned bluetooth on both Galaxy and Laptop 3.I pair my Laptop with my Galaxy S10+ via bluetooth 4.Visiting webauthn.io nothings happens. 5.I dont see any error log in the logcat in Android Studio

Also, @FabianHenneke in WearAuthn did you manage to generate FIDO2 Token based on this project logic and code?

[mehakzahra1]

For me, it is working on Samsung devices. I can share the steps if you want.

[kyriakopoulosd]

For me, it is working on Samsung devices. I can share the steps if you want.

Yes, so I can check If Im missing something. Thanks!

[fmeum]

@kyriakopoulosd WearAuthn takes a different route: It uses the Bluetooth HID API to emulate a USB HID security key. This has the disadvantage of not working with phones though.

I will try later whether I can get this code to work on my OnePlus.

[fmeum]

Unfortunately the BLUETOOTH_PRIVILEGED can't be granted via adb as it is not marked as a development permission. I think that root access is needed to get this to run on phones with recent Android versions.

[kyriakopoulosd]

Do you know if we can test this code at first via usb instead of ble ? So to make sure that fido2 token is being generated and if ok, then check the ble. Because at the moment, I'm not able to see my device with Ble. @mehakzahra1 i'd appreciate if you describe how you managed to make it work.

[kyriakopoulosd]

@FabianHenneke So If I get it right, WearAuthn Code will not work on Phones because of choosing Bluetooth HID API for emulating the token. However, would it work via NFC ? For example, let's say we've "transfered" your code to implement fido2 token on the nfc enabled mobile (instead of the smartwatch) and then contacting to laptop via an nfc reader? Would it work?

[fmeum]

@FabianHenneke So If I get it right, WearAuthn Code will not work on Phones because of choosing Bluetooth HID API for emulating the token. However, would it work via NFC ? For example, let's say we've "transfered" your code to implement fido2 token on the nfc enabled mobile (instead of the smartwatch) and then contacting to laptop via an nfc reader? Would it work?

@kyriakopoulosd WearAuthn will not work with phones via Bluetooth, meaning that it can't connect to them. Android and iOS don't implement raw access to Bluetooth HID devices, so WearAuthn can't be used as a security key for phones. It can however be made to work on phones, assuming that the Bluetooth HID API is available. Unfortunately, many manufacturers don't implement this API, so the Pixels seem to be the only model on which this would work reliably. Once I have acquired a Pixel, I will see whether I can get this implemented.

Independent of all of this, the WearAuthn approach will always work over NFC since it can't be distinguished from an actual security key via this protocol.

[kyriakopoulosd]

@FabianHenneke so WearAuthn approach would work as a Mobile App FIDO2 Authenticator via NFC (for all smartphones supporting NFC). So, based on you're the expert on every single line of code at WearAuthN, can you recommend how I should lets say transform your project into a project like that ? (As I described previously the case is to tap my "Security Key" (Mobile App on Smartphone) on the Nfc reader of laptop and log-in webauthn.)

[mehakzahra1]

Below are the steps to see the login mechanism:

Clone project from GitHub repo. Import the project using the android studio. Enable Bluetooth on your laptop and mobile device. Make sure you have fingerprint sensor-enabled in your android device. Open chrome://flags/ on your laptop browser and enable the following flags: Web Authentication API BLE support Make sure you have chrome version 76.0.3809.100 Build and run the project on android studio After execution open, the app on your test device and press button enable Fido token In order to check connection open the link on your browser and click on the button “Get Bluetooth device information characteristics”. On clicking the button you will get the dialog box. You will see the list of device click on your device name and click "pair" By clicking the pair button you will see an output console with the connection status which confirms the connection if it's working. In the same browser session, open another tab and open link fill all the mandatory fields and click the “register” button. You will see a dialog select “Bluetooth security key”. After clicking the “Bluetooth security key” button you will see a dialog box on android which asks your fingerprint credentials. After fingerprint step click on “Begin” button on the browser you will be able to register. Once you are registered public and the private key is generated and private key stored in android KeyStore. Follow the same steps for login mechanism and you will be able to log in. Note: This is not a stable version if you are not able to see the login mechanism. Repeat the above-mentioned steps again. Refresh the browser and try to refresh the app.

Android test device: Samsung s8 plus

Chrome version 76.0.3809.100.

[thedreamwork]

Below are the steps to see the login mechanism:

Clone project from GitHub repo. Import the project using the android studio. Enable Bluetooth on your laptop and mobile device. Make sure you have fingerprint sensor-enabled in your android device. Open chrome://flags/ on your laptop browser and enable the following flags: Web Authentication API BLE support Make sure you have chrome version 76.0.3809.100 Build and run the project on android studio After execution open, the app on your test device and press button enable Fido token In order to check connection open the link on your browser and click on the button “Get Bluetooth device information characteristics”. On clicking the button you will get the dialog box. You will see the list of device click on your device name and click "pair" By clicking the pair button you will see an output console with the connection status which confirms the connection if it's working. In the same browser session, open another tab and open link fill all the mandatory fields and click the “register” button. You will see a dialog select “Bluetooth security key”. After clicking the “Bluetooth security key” button you will see a dialog box on android which asks your fingerprint credentials. After fingerprint step click on “Begin” button on the browser you will be able to register. Once you are registered public and the private key is generated and private key stored in android KeyStore. Follow the same steps for login mechanism and you will be able to log in. Note: This is not a stable version if you are not able to see the login mechanism. Repeat the above-mentioned steps again. Refresh the browser and try to refresh the app.

Android test device: Samsung s8 plus

Chrome version 76.0.3809.100.

Which GitHub repo?

[thedreamwork]

Google also recently demonstrated the 'caBLE' (cloud-assisted Bluetooth Low Energy) transport. It currently only works on Google's properties and requires Chrome. This article demostrates how it works. It would be helpful for relying parties who would like to support caBLE.

[mehakzahra1]

Below are the steps to see the login mechanism: Clone project from GitHub repo. Import the project using the android studio. Enable Bluetooth on your laptop and mobile device. Make sure you have fingerprint sensor-enabled in your android device. Open chrome://flags/ on your laptop browser and enable the following flags: Web Authentication API BLE support Make sure you have chrome version 76.0.3809.100 Build and run the project on android studio After execution open, the app on your test device and press button enable Fido token In order to check connection open the link on your browser and click on the button “Get Bluetooth device information characteristics”. On clicking the button you will get the dialog box. You will see the list of device click on your device name and click "pair" By clicking the pair button you will see an output console with the connection status which confirms the connection if it's working. In the same browser session, open another tab and open link fill all the mandatory fields and click the “register” button. You will see a dialog select “Bluetooth security key”. After clicking the “Bluetooth security key” button you will see a dialog box on android which asks your fingerprint credentials. After fingerprint step click on “Begin” button on the browser you will be able to register. Once you are registered public and the private key is generated and private key stored in android KeyStore. Follow the same steps for login mechanism and you will be able to log in. Note: This is not a stable version if you are not able to see the login mechanism. Repeat the above-mentioned steps again. Refresh the browser and try to refresh the app. Android test device: Samsung s8 plus Chrome version 76.0.3809.100.

Which GitHub repo?

I mean this repo

[licc12]

I implemented an alternative solution using "https://www.wiokey.de/en/".