Bluetooth Secure Simple Pairing (SSP) using QR code as Out of Band (OOB) channel

Question

I have a Windows 7 application, which uses Stollmann SDK to successfully bond PC with Android. The bidirectional exchange of Bluetooth MAC address, hash and randomizer is carried out out of band via NFC:

The source code of the Windows application unfortunately can not be shared here. On the Android side no app is needed and the Secure Simple Pairing is performed by the operating system (by HandoverManager?) once an NDEF message with application/vnd.bluetooth.ep.oob is received.

Now I am trying to create an Android app, which would use unidirectional authentication to perform OOB pairing via scanned QR code (instead of NFC).

A custom QR code would be shown at PC screen (generated by ZXing.Net) and contain Bluetooth MAC address, hash and randomizer.

However OOB bonding seems to be not implemented yet in Android -

BluetoothAdapter.java:

/**
 * Read the local Out of Band Pairing Data
 * <p>Requires {@link android.Manifest.permission#BLUETOOTH}
 *
 * @return Pair<byte[], byte[]> of Hash and Randomizer
 *
 * @hide
 */
public Pair<byte[], byte[]> readOutOfBandData() {
    if (getState() != STATE_ON) return null;
    //TODO(BT
    /*
    try {
        byte[] hash;
        byte[] randomizer;

        byte[] ret = mService.readOutOfBandData();

        if (ret  == null || ret.length != 32) return null;

        hash = Arrays.copyOfRange(ret, 0, 16);
        randomizer = Arrays.copyOfRange(ret, 16, 32);

        if (DBG) {
            Log.d(TAG, "readOutOfBandData:" + Arrays.toString(hash) +
              ":" + Arrays.toString(randomizer));
        }
        return new Pair<byte[], byte[]>(hash, randomizer);

    } catch (RemoteException e) {Log.e(TAG, "", e);}*/
    return null;
}

BluetoothDevice.java:

/**
 * Start the bonding (pairing) process with the remote device using the
 * Out Of Band mechanism.
 *
 * <p>This is an asynchronous call, it will return immediately. Register
 * for {@link #ACTION_BOND_STATE_CHANGED} intents to be notified when
 * the bonding process completes, and its result.
 *
 * <p>Android system services will handle the necessary user interactions
 * to confirm and complete the bonding process.
 *
 * <p>Requires {@link android.Manifest.permission#BLUETOOTH_ADMIN}.
 *
 * @param hash - Simple Secure pairing hash
 * @param randomizer - The random key obtained using OOB
 * @return false on immediate error, true if bonding will begin
 *
 * @hide
 */
public boolean createBondOutOfBand(byte[] hash, byte[] randomizer) {
    //TODO(BT)
    /*
    try {
        return sService.createBondOutOfBand(this, hash, randomizer);
    } catch (RemoteException e) {Log.e(TAG, "", e);}*/
    return false;
}

/**
 * Set the Out Of Band data for a remote device to be used later
 * in the pairing mechanism. Users can obtain this data through other
 * trusted channels
 *
 * <p>Requires {@link android.Manifest.permission#BLUETOOTH_ADMIN}.
 *
 * @param hash Simple Secure pairing hash
 * @param randomizer The random key obtained using OOB
 * @return false on error; true otherwise
 *
 * @hide
 */
public boolean setDeviceOutOfBandData(byte[] hash, byte[] randomizer) {
  //TODO(BT)
  /*
  try {
    return sService.setDeviceOutOfBandData(this, hash, randomizer);
  } catch (RemoteException e) {Log.e(TAG, "", e);} */
  return false;
}

My question:

Since OOB Bluetooth pairing works well over NFC on Android - do you think there is a (hackish) way to do the same via QR code?

Maybe (crazy idea) by feeding HandoverManager with a fake NDEF message?

Answer 1

You can not fake the NFC broadcast which is actually posted by NFC service app when it detects the NFC tag. Since this is a protected broadcast non system apps can not broadcast the intent.