MaboaSoft Engineering Team

Why Your BLE Protocol Is Not a Secret: Android HCI Logs, Wireshark, and Bluetooth Security

Many BLE products rely on hidden mobile app protocols for security. Android Bluetooth HCI logs and Wireshark can reveal BLE communication patterns quickly — and that changes how mobile teams should think about BLE app design, testing, and security handoff.

Why Your BLE Protocol Is Not a Secret: Android HCI Logs, Wireshark, and Bluetooth Security

A lot of Bluetooth Low Energy products rely on one dangerous assumption:

“Only our mobile app knows how to talk to the device.” That is not a security model.

In many cases, you do not need to decompile the Android application to start understanding how a BLE device behaves. Android can generate Bluetooth HCI logs, and those logs can be opened in Wireshark.

That is often enough to see the connection flow, service discovery, characteristic reads, notification subscriptions, write operations, and repeated command patterns. Not the full business logic. Not always the meaning of every byte. But enough to prove one thing:

Your BLE protocol should not be treated as a secret.

This matters for connected medical devices, industrial sensors, access-control hardware, consumer IoT, logistics tags, smart locks, wearables, and any product where a phone sends commands to nearby hardware.


1. The Bluetooth Security Myth

Manufacturers often believe one of these things:

  • The device only works with our official app.
  • The UUIDs are not documented.
  • The protocol is proprietary.
  • Bluetooth pairing means the communication is secure.
  • Nobody will spend time looking into this.

Those are weak assumptions.

A mobile app runs on a device controlled by the user. BLE traffic can be observed. Logs can be collected. APKs can be inspected. Commands can often be replayed or reproduced.

Bluetooth is a transport layer. A proprietary protocol is not a security boundary. Obfuscation is not authorization.

If a sensitive action can be triggered from the mobile app, the device itself must verify whether that action is allowed.


2. What Android Can Reveal Before APK Reverse Engineering

Android has a built-in Bluetooth HCI snoop logging feature. It exists for debugging Bluetooth problems, but it is also a useful reminder: BLE communication is observable from the client side.

A basic investigation flow looks like this:

Android phone
  -> BLE device connected
  -> Bluetooth HCI snoop log enabled
  -> user performs actions in the app
  -> HCI log exported from a bug report
  -> Wireshark analysis

You may already see:

  • Connection and disconnection events
  • Service discovery
  • Characteristic reads
  • Characteristic writes
  • Notification subscriptions
  • Repeated command patterns
  • Timing between app actions and BLE writes

This does not automatically give the attacker everything. But it gives them a map. And once someone has a map, reverse engineering becomes much easier.


3. Example: Capturing a Bluetooth HCI Log on Android

Use a test device you own or are authorized to test. Do not collect traffic from devices, users, or environments where you do not have permission.

The most reliable route is usually Android Developer Options:

  1. Enable Developer Options, following the official Android documentation.

  2. Enable Bluetooth HCI snoop log.

    Android Developer Options screen with Bluetooth HCI snoop log enabled

    Android Developer Options can capture Bluetooth HCI traffic for debugging. The exact label and export behavior may vary by Android version and vendor build.

  3. Restart Bluetooth if needed.

  4. Open the app and reproduce the BLE actions you want to understand.

  5. Export a bug report:

    adb bugreport ble-capture.zip
  6. Unzip the report:

    unzip ble-capture.zip -d ble-capture
  7. Search the extracted report for the Bluetooth snoop log. The exact path is device- and Android-version-dependent, but filenames often contain btsnoop, hci, or bluetooth.

  8. Open the capture in Wireshark and inspect the Bluetooth HCI / ATT / GATT packets.

    Wireshark showing a Bluetooth HCI capture with BLE ATT and GATT packets

    A BLE HCI capture in Wireshark can expose packet order, characteristic operations, notification setup, and command timing even when payload meaning is still unknown.


4. What You Can Learn from the Capture

Even with sensitive payloads redacted, a Wireshark capture can show the structure of the communication.

A typical BLE interaction may look like this:

Connect
  -> Discover Services
  -> Read Device Information
  -> Enable Notifications
  -> Write Characteristic
  -> Receive Notification
  -> Write Another Command

At the packet level, the interesting part is not only the bytes. It is the sequence.

What you see in the captureWhy it matters
Service discoveryReveals the shape of the GATT surface: services, characteristics, and handles.
Read requestsShows which data the app needs before it decides what to do next.
Write requests or commandsPoints to the characteristics that trigger behavior on the device.
Notification subscriptionsShows where responses, status updates, or asynchronous events arrive.
Repeated command sequencesSuggests which flows are deterministic and potentially reproducible.
Timing between actions and writesHelps map a UI action to the BLE packets it caused.

For example:

  • Which action in the app causes a BLE write?
  • Does the app write to the same characteristic every time?
  • Are notifications enabled before commands are sent?
  • Are commands repeated?
  • Does the device accept commands immediately after connection?
  • Is there any visible authentication step?
  • Does the same command pattern appear across sessions?

5. Why This Matters for BLE Product Security

If your security depends on hiding UUIDs or command bytes, the product is fragile.

Weak assumptionWhy it fails
The UUIDs are hidden.They can often be observed during service discovery or recovered from the app.
Only our app can send commands.A custom client can usually write to BLE characteristics if the device accepts the command.
The APK is obfuscated.BLE behavior can be observed without touching the APK, and obfuscation rarely protects runtime behavior.
The protocol is proprietary.Proprietary does not mean authenticated, replay-resistant, or authorized.
Pairing is enough.Pairing is not the same as command authorization, freshness, or per-action permission checks.

Better assumptions are harsher, but much safer:

Safer assumptionWhat it means
The app is untrusted.Do not rely on client-side secrets or client-only authorization decisions.
The protocol is public.Design as if services, characteristics, and command formats are known.
Commands can be replayed.Use freshness: counters, nonces, challenge-response, or short-lived session material.
Devices may be physically accessible.Protect secrets, provisioning flows, debug interfaces, and factory modes.
Firmware will be inspected.Sign firmware updates and avoid one global secret across the fleet.

6. Bad Model vs Better Model

The risky model is simple:

App -> command bytes
Device -> execute immediately

If the captured command can be replayed later by a custom script, the device has no real authorization layer. The app was acting as the gatekeeper, and the gatekeeper runs on hardware controlled by the user.

A stronger model moves the decision to the device:

App -> command + identity + freshness proof + MAC/signature
Device -> verify authorization
Device -> verify freshness
Device -> verify command integrity
Device -> execute only if valid

The exact mechanism depends on the device class, threat model, cost constraints, provisioning flow, and regulatory surface. The principle does not change: the product should still be secure when the command sequence is known.


7. What BLE Manufacturers Should Do Instead

The goal is not to avoid BLE. BLE is fine. The problem is using protocol secrecy as the main security mechanism.

Practical recommendations:

Treat the mobile app as untrusted

Do not store global secrets in the app. Do not assume that app logic cannot be copied. Do not authorize critical actions only in the mobile client.

Authenticate sensitive commands on the device

The device should verify whether a command is valid before executing it. That can mean a message authentication code, a signature, a challenge-response exchange, or another mechanism appropriate for the hardware.

Use per-device credentials

Avoid one shared key for all devices. If one app, firmware image, or device leaks the key, every device becomes exposed.

Prevent replay attacks

If the same captured command can be sent again later, that is a problem.

Use mechanisms such as:

  • nonces
  • counters
  • challenge-response
  • short-lived session keys
  • message authentication codes

Sign firmware updates

Firmware updates should be signed. The device should verify the signature before installing anything.

An update mechanism without signature verification is a direct path to device compromise.

Protect provisioning and recovery flows

Many BLE products are strongest during normal operation and weakest during setup, reset, pairing, factory diagnostics, or recovery mode. Those flows deserve the same security review as the main command path.

Do not rely on hidden UUIDs

UUIDs and characteristic layouts are not secrets. They are implementation details.

Security should still hold if every UUID and command sequence is public.


8. A Simple Security Test Question

Ask this during BLE product design:

If someone knows every service UUID, every characteristic UUID, and the full command sequence, is the product still secure? If the answer is no, the security model is probably wrong.

A stronger design assumes:

  • The app can be inspected.
  • The BLE traffic can be observed.
  • The command flow can be reproduced.
  • The device must verify every sensitive action.

How MaboaSoft Helps

MaboaSoft builds and reviews mobile software across Flutter, native Android, native iOS, .NET MAUI, Xamarin modernization, and connected-device workflows. We do not replace a hardware, firmware, or cryptography team. We help mobile teams expose fragile assumptions early, document what the app is doing over BLE, and turn that into clear engineering input for the product and device teams.

We can help with:

  • BLE mobile app review — mapping GATT flows, command paths, pairing assumptions, and replay risks.
  • Android and iOS implementation review — checking how the mobile app handles secrets, provisioning, background behavior, and error states.
  • Integration architecture review — clarifying where the mobile app, backend, and device responsibilities start and stop.
  • Security handoff documentation — producing concrete findings that firmware, hardware, backend, or external security specialists can act on.
  • Pre-launch software review — turning an observable BLE flow into a practical mobile remediation plan before customers or attackers do.

Building a mobile app for a BLE product, or worried that the app is carrying too much security responsibility? Book a 20-minute call. We will review the mobile-side architecture, identify fragile assumptions, and help you prepare a clear handoff for the teams responsible for device and backend security.


FAQ

Can Android capture Bluetooth Low Energy traffic? Yes. Android can generate Bluetooth HCI snoop logs for debugging. When enabled on a test device, those logs can often be exported through a bug report and opened in Wireshark to inspect BLE connection events, GATT discovery, ATT reads, writes, and notifications.

Does Bluetooth pairing make a proprietary BLE protocol secure? No. Pairing can protect the transport in some configurations, but it is not the same as device-side authorization for sensitive commands. A BLE product still needs to verify command authenticity, freshness, and permissions on the device.

Is hiding BLE UUIDs or command bytes a valid security strategy? No. UUIDs, characteristic layouts, and command patterns can often be observed from the mobile device or recovered from the app. A secure design should assume the protocol will become public.


Resources & Further Reading


Final Thoughts

You do not need advanced reverse engineering to learn something important about a BLE device.

Sometimes Android Bluetooth HCI logs and Wireshark are enough to reveal the communication flow. That does not make BLE insecure by itself. It means BLE products must be designed with the right threat model.

Your mobile app is not a trusted security boundary. Your proprietary BLE protocol is not a secret. Your device must verify sensitive actions by itself.

Build as if someone is already watching the protocol — because eventually, someone will.