Security and Privacy

[bkmgit]

There are security and privacy concerns with the nearbyshare and related protocols:

• https://github.com/seemoo-lab/opendrop
• https://github.com/google/nearby/issues/2198

Does this implementation do anything different? Should there be an advice to users?

[vicr123]

Hi,

This implementation of Nearby Share does not support being run over Bluetooth, and the service is only running and exposed when the user has elected to receive a file. Having said that, it's important to check the PIN that is shown before a transfer is started matches on both devices to avoid a MITM attack.

If you do find a specific, reproducible security issue please open a ticket :)

[bkmgit]

Maybe it is worth standardizing the protocol? For example through an IETF RFC? There is an upcoming meeting relatively close to you https://www.ietf.org/how/meetings/119/

[vicr123]

Hey, the goal of this project is compatibility with Google's protocol. It would be great if it was a standardised protocol but that's for Google to decide and act on, not me. If Google changes the protocol I'll endeavour to update the project to maintain compatibility.

Most of the reverse engineering work comes from https://github.com/grishka/NearDrop if you're interested in protocol documentation.

[bkmgit]

Ok commented on https://github.com/google/nearby/issues/2198