Why does Android limit the acceptable file types so strictly while receiving via Bluetooth OPP?

Question

Greetings stackoverflow.

Recently, I'm tracing the Bluetooth operating mechanism in Android framework. I've notice that there's some file type limitation which is made by this patch while receiving files via OPP.

in package com.android.bluetooth.opp , there's a fixed white list in Constants.java

/**
 * The MIME type(s) of we could accept from other device.
 * This is in essence a "white list" of acceptable types.
 * Today, restricted to images, audio, video and certain text types.
 */
public static final String[] ACCEPTABLE_SHARE_INBOUND_TYPES = new String[] {
    /* ... some types such as images and music ... */
};

which limits the acceptable file types in BluetoothOppObexServerSession.java

        // Reject policy: anything outside the "white list" plus unspecified
        // MIME Types.
        if (!pre_reject
            && (mimeType == null || (!Constants.mimeTypeMatches(mimeType,
                    Constants.ACCEPTABLE_SHARE_INBOUND_TYPES)))) {
        if (D) Log.w(TAG, "mimeType is null or in unacceptable list, reject the transfer");
        pre_reject = true;
        obexResponse = ResponseCodes.OBEX_HTTP_UNSUPPORTED_TYPE;

What makes us concern about the MIME type in this situation? In my knowledge, we may like to block the executable files (i.e. *.apk, *.so) since those files may harm our device. If blocking some specific types is the reason we set a list here, why would we use a white list instead of a black list just before this patch? Is there some similar limitation when we transmit files via other non-bluetooth protocol such as HTTP?

Answer 1

OBEX profile is expected to achieve application level interoperability for the content formats being exchanged. For example if a business card is pushed / pulled the local application should understand the business card format to be able to display the business card at the appropriate location (example the contacts location) and should understand the format to display it in its local contacts app. OPP specifies content formats for Phone books (vCards) Calendar, Messaging, Notes, etc. So the server should support the particular object format that the client is trying to send it to be able to take appropriate action with the received object.

For a more generic transfer / exchange of files the FTP profile can be used.