Nearby Threats: Reversing, Analyzing, and Attacking Google’s ‘Nearby Connections’ on Android

Google’s Nearby Connections API enables any Android(and Android Things) application to provide proximity-basedservices to its users, regardless of their network connectivity.The API uses Bluetooth BR/EDR, Bluetooth LE and Wi-Fi to let“nearby” clients (discoverers) and servers (advertisers) connectand exchange different types of payloads. The implementation ofthe API is proprietary, closed-source and obfuscated. The updatesof the API are automatically installed by Google across differentversions of Android, without user interaction. Little is knownpublicly about the security guarantees offered by the API, eventhough it presents a significant attack surface.In this work we present the first security analysis of theGoogle’s Nearby Connections API, based on reverse-engineeringof its Android implementation. We discover and implementseveral attacks grouped into two families: connection manipulation(CMA) and range extension attacks (REA). CMA-attacks allow anattacker to insert himself as a man-in-the-middle and manipulateconnections (even unrelated to the API), and to tamper with thevictim’s network interface and configuration. REA-attacks allowan attacker to tunnel any nearby connection to remote(non-nearby) locations, even between two honest devices. Our attacksare enabled by REarby, a toolkit we developed while reversing theimplementation of the API. REarby includes a dynamic binaryinstrumenter, a packet dissector, and the implementations ofcustom Nearby Connections client and server.