2

My app is working fine, until Android 5.0.2 doesn't allow third party app to connect to HID device over Bluetooth low energy. 

myGatt.setCharacteristicNotification(gattChar, true);

06-01 17:39:35.356: W/BluetoothGatt(21599):
java.lang.SecurityException: Need BLUETOOTH_PRIVILEGED permission:Neither
user 10157 nor current process has android.permission.BLUETOOTH_PRIVILEGED.

<uses-permission android:name="android.permission.BLUETOOTH_PRIVILEGED" />

BLUETOOTH_PRIVILEGED permission doesn't work on a third party app. It's only for system or manufacturer apps.

The latest changes from Android note: Enforce BLUETOOTH_PRIVILEGED permission for HID-over-GATT https://android.googlesource.com/platform/packages/apps/Bluetooth/+/02bebee

Code snippet:

private static final UUID[] HID_UUIDS = {
    UUID.fromString("00002A4A-0000-1000-8000-00805F9B34FB"),
    UUID.fromString("00002A4B-0000-1000-8000-00805F9B34FB"),
    UUID.fromString("00002A4C-0000-1000-8000-00805F9B34FB"),
    UUID.fromString("00002A4D-0000-1000-8000-00805F9B34FB") };

if (isHidUuid(charUuid)) enforcePrivilegedPermission();

My question: is there a way to overwrite HID_UUIDS or enforcePrivilegedPermission? Can I use reflection to by pass it?

Every times Android released a new version, it breaks the previous code.

Thanks!

amed
  • 21
  • 3

1 Answers1

2

The question is old, but still worth answering. The HID (and FIDO https://fidoalliance.org/) service is protected and indeed requires system permission source. Only apps signed with the system key may use this service, that is only Bluetooth settings. This is to ensure that 3rd party apps are not able to listen to keys typed on a wireless keyboards, as all notifications and indications are transferred to all BluetoothGatt objects. Without this protection you would be able to connect to a HID device (you still can), enable notifications using gatt.setCharacteristicNotification(.., true) and receive updates whenever a key is typed. With a bit of knowledge about Report characteristics you can then get all the keys and mouse positions, including passwords, etc. So it's not a break, but a bug fix. On KitKat you still may do this.

The only solution is to compile your own AOSP Android version and sign your app with the same key. Otherwise it would be useless protection.

Btw, starting form Android 8 or perhaps earlier you don't get SecurityException. The call just returns true as if any other and you never get any callback. This might have been changed here: https://android.googlesource.com/platform/packages/apps/Bluetooth/+/32dc7a6b919375aede777f3c821fa316d85449ae%5E%21/#F2

philips77
  • 1,294
  • 14
  • 24
  • I posted a similar question and was wondering if there's a source for clear answer why Bluetooth LE HID has permissions while Bluetooth classic doesn't? I'm trying to set a connection for output and input reports through an Android app, but writing to a characteristic never manages to get to the callback. It seems surprising that no one had found a "hacky" way to get this working. Let me know your thoughts. – karamazovbros Apr 20 '19 at 00:22