iOS Bluetooth BLE security and "Just works" association model

Question

According to this document and this whitepaper, there are security measures designed to prevent passive eavesdropping a Bluetooth BLE connection. Is there a way to implement the secure connection between an iOS central manager and a peripheral device?

Specifically, I'm looking to implement "Just works association model". I want to know if it is possible with an iPhone.

Answer 1

For BLE connections, iOS supports "Just Works" and also "PIN" based pairing.

For Out-of-band (OOB) pairing, there is no public iOS API (albeit a private one that Apple uses itself for Handoff amongst other things, to seamlessly pair two Apple devices without user interaction.)

Note that both "Just Works" and "PIN" pairing is somewhat broken. If an eavesdropper were to listen in on the initial pairing process, it could brute force the exchanged keys easily.

iOS 8.2 added support for BT 4.2, which includes various improvements for BLE pairing and security in general. I haven't looked what parts iOS 8.2 supports though.

To kick off pairing:

• an app that is using the peripheral needs to be in the foreground (this can be iOS' Settings)
• after connecting,
  • send the "Slave Security Request" command from peripheral side (see the Bluetooth Specification), or,
  • access a "protected" characteristic on a service implemented either by the peripheral or by the app -- this will make iOS automagically initiate the pairing process if the device was not yet bonded. This is what Apple recommends.

Answer 2

EDITED:

According to the table under Step 4 in this link, because your Central (smartphone) has both Keyboard and Display, the only way to perform Just Works pairing is if the sensor has no input and no output capabilities.

So, to do that, you must configure the sensor to send a Pairing Response with the IO Capabilities set to NoInputNoOutput.

That will force the Central (your iOS device) to perform Just Works pairing.