Security concerns on Android?

Nandi_Wong · October 24, 2014, 2:14am

Recently I have worked on a project on iBeacon and installed some estimotes onto the field. However I have found a security issues which is likely caused by "too powerful" of the android's estimote app. Here is my test case:

Testing Scenario:

Device #1 : iphone 4S , ios8.0.1
Device #2 : iphone 6 , ios8.0.1
Device #3 : One Plus One , android 4.4.2

3 Devices have all installed "Estimote" app from app store/google market

Case 1

I have modified the UUID of the beacon using device #1 , with a completely new UUID , result in Device#2 cannot scan using the estimote app , however Device#3 can also scan ( and modify the Major/Minor also)

Case 2

I have modified the Major/Minor of the beacon using Device#3 with estimote app and succeeded. However, Device#1 can no longer modify the beacon with estimote app since the beacon is shown "not belongs to this user"

So my question is:

"Is there any way to prevent an anonymous Android user who is using the Estimote App downloaded from Google Play, to modify the major/minor of our ibeacon easily? "

I think this may quite affect the behaviour of our project as if anyone else can chance the major/minor that easily :/

Wojtekb · October 24, 2014, 12:52pm

Hi Nandi,

We're aware that Android still gives you a way to work around our authentication mechanism already implemented in the iOS version of our app. We're working on that and will release relevant updates in the near future.

Cheers.

Topic		Replies	Views
Security and API standards Archive	1	327	June 27, 2014
Estimote Beacon Connect Password Archive	14	526	August 12, 2014
For Android Estimote App no need to login Estimote Cloud account BLE Beacons	1	924	April 9, 2015
Understanding the security of Estimote Beacons	1	991	April 15, 2015
Lock-down, secure beacon's settings and firmware Archive	3	402	November 24, 2014

Security concerns on Android?

Case 1

Case 2

Related Topics