3

I'm making an Android app which needs to safely communicate with PC app over Bluetooth. I'm going to use RFCOMM for that purpose. Since apps will exchange user authentication details, there should be no possibility to get unauthorized access to them. Is level of security of Bluetooth high enough or should I encrypt the traffic anyway?

If yes, what would be the best way to do that?

Also is it a good idea to use RFCOMM?

dist3r
  • 33
  • 4
  • 1
    If your bluetooth traffic is utilizing Bluetooth 4.1 then I'd say it's probably secure enough that you don't need to encrypt the traffic additionally. Bluetooth 4.1 utilizing Sec Mode 4 utilizes FIPS approved HASH Authentication using SHA256 for authenticating, and AES encryption. NIST SP 800-121 has a wealth of info regarding Bluetooth security features. So the question really becomes what version and security mode will you be incorporating? – Gansheim Oct 24 '18 at 18:28
  • I need to keep backward compatibility with devices utilizing Bluetooth 4.0. According to NIST SP 800-121 if one device is utilizing Bluetooth 4.1 or higher and another 4.0 I can only achieve Secure Mode 4 Level 3 which is considered not to be secure enough, right? – dist3r Oct 24 '18 at 19:23
  • Well yes, anything below 4.1 would use L3, but Level 3 is still considered secure and encrypted, it just doesn't use FIPS approved algorithms, which means they have the POTENTIAL to be exploited. If I remember correct L3 uses ECC 192 instead of ECC 256 which many still consider secure. If you do end up encrypting the traffic in transit further, it's definitely going to impact performance (speed and most importantly batterylife). Its going to come down to the level of risk you're willing to accept. – Gansheim Oct 24 '18 at 21:24

1 Answers1

2

Secure "enough" really depends on your use case.

Security is often a tradeoff between cost, time, user experience on product side but also cost, time and gain on the attackers side.

I assume your app is kind of product. So from marketing side, do you need to write "most secure ecryption possible" on your product or just "state of the art encrypted data transfer" ? Does anyone care?

How much could an attacker gain from sniffing the data? How much knowledge, time and money would it cost him?

Is your product usually used in a home environment? Then an attacker would maybe need to wait and sit very long in front of your house to sniff data at all. Not so realistic. Is your app usually used in front of an ATM? Then an attacker would know where to wait.

And then even if an attacker was able to sniff the raw data, can he decrypt it? I agree with comments above: If you can ensure that L3 with ECC192 will be used, a successful attack is very unlikely today.

Is the encrypted data of any value if decrypted in 10 years or so? If yes, maybe additional encryption would make sense, but I see rare use cases for that.

Using RFCOMM or not has little implucations on the security I think.

maze
  • 291
  • 1
  • 8