I would like to contribute to the Chrome project with a bug fix and enhancement for Web Bluetooth.
Web Bluetooth Session Specific Pairing for Enhanced SecurityThe way pairing currently works in Web Bluetooth is that the JavaScript API will scan for a GATT server advertising a specific service UUID and then the list of available devices appears in a selection dialogue.
There is currently a bug in this process where multiple devices will be listed even though there is is just one device advertising the service. I have entered a bug on this issue:
Issue 1269819: Web Bluetooth "Scanning..." / "wants to pair" Dialogue Reports Multiple Devices
https://bugs.chromium.org/p/chromium/issues/detail?id=1269819Rather than having Chrome scan for all devices that are advertising a service based on a general service UUID, it would be incredibly
MORE SECURE if the JavaScript method in the Web Bluetooth API could scan for a specific session UUID advertised by the GATT server on the local device.
This meets the specific use case where a user is interacting with a browser and his/her own mobile device; e.g., an Android application running a GATT server. A server could send a specific session UUID to both the user's browser and his/her Android application.
This also would be helpful in the use case where a user registers a device (e.g., a blood pressure monitor, digital scale, etc.) and that device automatically pairs with the user's web application. With each session a different session UUID would be sent to the device and confirmed by the web application based on a specif user
The current architecture that requires a "Scanning..." / "wants to pair" Dialogue is incredibly inelegant.
The change to make this work would be incredibly simple. Instead of:
let device = await navigator.bluetooth.requestDevice({filters: [{services: [serviceUuid]}]});
The JavaScript method would be changed to:
let device = await navigator.bluetooth.requestDevice({filters: [{sessUuid: [sessionUuid], message:[Start your Acme Blood Pressure device.]} ]});
Rather than a dialogue box being displayed for selection, the pairing would be automatic if the sessionUuids matched.