Monitoring Bluetooth Traffic In Android Studio: A Step-By-Step Guide

Bluetooth is a wireless technology that allows devices to communicate and exchange data over short distances. It is widely used for connecting headphones, speakers, smartwatches, and more. Monitoring Bluetooth traffic can help troubleshoot connection problems, check data integrity, and detect malicious activity. On Android, this can be done using Wireshark, Ubertooth, or PacketLogger. Newer versions of Wireshark include an androiddump utility to capture Bluetooth traffic directly from Android phones. Alternatively, Android has a built-in function to log all traffic into a file, which can be copied and analysed in Wireshark.

Capturing Bluetooth traffic with Wireshark

Wireshark is a network packet analyzer that can be used to capture traffic from many different network media types, including Bluetooth.

To capture Bluetooth traffic with Wireshark, follow these steps:

• Enable Developer Options on your Android device: Go to Settings -> Developer Options and enable the "Bluetooth HCI Snoop Log" option. This will allow you to capture all Bluetooth HCI packets.
• Start capturing packets with Wireshark: Open Wireshark and go to "Capture" -> "Options" to configure the capture options. Select the interface you want to capture packets from and apply any necessary filters.
• Specify the output file: In the "Output" tab of the "Capture Options" dialog, specify the output file for the captured packets. You can choose to save the packets in a single file or multiple files.
• Start the capture: Click on the "Start" button in the "Capture Options" dialog to start capturing packets.
• View captured packets: Once the capture is complete, you can open the output file in Wireshark to view the captured packets. Go to "File" -> "Open" and select the output file. The captured packets will be displayed in the packet list pane.
• Analyze and filter packets: You can use the various features of Wireshark to analyze and filter the captured packets. For example, you can apply display filters to focus on specific packets, or use the protocol dissectors to examine the packet details.

By following these steps, you can effectively capture and analyze Bluetooth traffic using Wireshark.

Using Ubertooth to monitor Bluetooth traffic

Ubertooth is an open-source Bluetooth development platform that can be used to monitor Bluetooth traffic on Android Studio. It is important to note that Ubertooth has limited capabilities compared to commercial hardware Bluetooth sniffing solutions. However, it is a viable option for those seeking a more affordable and accessible tool for Bluetooth traffic monitoring.

• Purchase an Ubertooth device: You can buy the Ubertooth One from the official website or other online retailers.
• Connect Ubertooth to your Android device: Ubertooth should be connected to your Android phone or tablet via Bluetooth.
• Install the necessary software: You may need to install additional software or libraries to interact with the Ubertooth device and process the captured Bluetooth traffic.
• Start monitoring: Once you have set up the Ubertooth device and the required software, you can start monitoring Bluetooth traffic. Ubertooth will capture Bluetooth packets and allow you to analyse them.
• Analyse the captured data: Use appropriate tools, such as Wireshark, to inspect the captured Bluetooth traffic. This will enable you to see the exchanged packages and gain valuable insights for auditing or development purposes.
• Configure advanced settings (optional): For more advanced users, Ubertooth offers customisation options. By modifying the configuration files, you can blacklist specific devices, set verbosity levels, and more.

In summary, Ubertooth provides a capable and flexible solution for monitoring Bluetooth traffic on Android Studio. While it may not possess the full capabilities of commercial hardware, Ubertooth offers a cost-effective and open-source alternative for developers and security analysts.

Bluetooth traffic analysis with PacketLogger

PacketLogger is a tool that can be used to analyse Bluetooth traffic on macOS. It is available on the Apple Developers platform. PacketLogger is useful for dumping traffic on the Bluetooth interface of a Mac. It can be used to open PacketLogger captures, which can be exported in the btsnoop format.

PacketLogger can be used to analyse HCI logs. HCI Packet Logging can be enabled by using the following command:

/capture_bluetooth_beagle12.py

For the Beagle 12 device, or

/capture_bluetooth_beagle480_5000.py

For the Beagle 480 and 5000 devices.

PacketLogger can also be used to analyse Bluetooth traffic on Windows by logging the USB traffic locally or connecting a USB Bluetooth dongle and using a USB Protocol Analyser.

There are four different Bluetooth HCI packet types: HCI Commands, HCI Events, HCI ACL, and HCI SCO packets. HCI Commands are sent to the Control Endpoint, while HCI Events are received on an Interrupt Endpoint, and ACL packets are sent via Bulk Endpoint.

Bluetooth traffic logging on Android

Bluetooth technology is used to exchange data over short distances and is found in many devices today, from smartphones and tablets to cars, headphones, and computers. With the increasing number of applications leveraging Bluetooth, it is important to be able to monitor Bluetooth traffic for security and performance optimisation.

Methods for Monitoring Bluetooth Traffic on Android:

Using a Sniffing Device:

• One way to monitor Bluetooth traffic is by using a dedicated sniffing device like the Ubertooth One.
• This device allows you to capture Bluetooth packets and analyse them using tools like Wireshark.
• It provides more flexibility and configuration options compared to built-in Bluetooth monitoring on Android.

Built-in Bluetooth HCI Snoop Log (Android 4.4 and newer):

• Android devices running version 4.4 and above have a built-in feature to capture all Bluetooth HCI (Host Controller Interface) packets.
• To enable this feature, go to "Settings -> Developer Options" and check the box next to "Bluetooth HCI Snoop Log."
• Once enabled, the Bluetooth packet capture will be saved to a file, typically located at "/sdcard/btsnoop_hci.log" or "/data/misc/bluetooth/logs/btsnoop_hci.log".
• You can then pull this file to your computer and analyse it using tools like Wireshark.

Wireshark with androiddump utility:

• Newer versions of Wireshark include an androiddump utility that allows capturing Bluetooth traffic directly from Android phones.
• Simply connect your phone to the computer via USB, enable USB debugging, select the "Android Bluetooth" capture source in Wireshark, and start recording.

Android Bluetooth Traffic Capture with adb:

• Android also provides a function to log all Bluetooth traffic into a file, which can be copied to a computer for analysis in Wireshark.
• To enable this, first, enable "Bluetooth HCI snoop log" in the Android developer options.
• Then, connect to the phone via USB debugging with adb and run "adb root" to gain root-level access.
• Create a bug report ZIP file with "adb bugreport bugreport.out" and search for the "btsnoop_hci.log" file within it.
• If the log file is not in the bug report, use "adb pull <full_path_to_logfile>" to retrieve it from the device.

Tools for Monitoring Bluetooth Traffic:

• In addition to Wireshark, there are other tools available for monitoring Bluetooth traffic, such as Ubertooth for Linux and PacketLogger for macOS.
• These tools can capture and display Bluetooth packets, protocols, and data exchanged between devices.

Bluetooth traffic monitoring with hcidump

Step 1: Enable Developer Mode

To monitor Bluetooth traffic, your Android device needs to be in Developer Mode. Go to the Settings menu and enable Developer Options. Within the Developer Options, make sure to check the box next to "Bluetooth HCI Snoop Log." This setting will enable the logging of all Bluetooth activity on your device.

Step 2: Toggle Bluetooth On/Off

After enabling the Bluetooth HCI Snoop Log, you need to toggle your Bluetooth connection on and off. This step is crucial to initialize the logging file or folder. Remember to do this each time you want to capture Bluetooth traffic.

Step 3: Locate the Log Files

The Bluetooth log files are typically stored in the "/sdcard/btsnoop_hci.log" directory. However, this path may vary slightly depending on your Android version. Use a file explorer to navigate to the "Files" or "Internal Storage" section and search for "btsnoop". The log files should have a .cfa extension. Make sure to enable the "Show Internal Storage" option if you can't find the files.

Step 4: Transfer Log Files to Computer

To analyze the Bluetooth traffic, you need to transfer the log files from your Android device to your computer. You can use various methods, such as Google Drive, Dropbox, or browsing the Android file system from your computer. Choose the method that suits you best and ensure you have the necessary permissions to access the files.

Step 5: Analyze with Wireshark

Once you have the log files on your computer, it's time to open them with Wireshark, a powerful analysis tool. Wireshark allows you to inspect each log entry in great detail, including the individual octets of each message. This level of detail will provide you with valuable insights into the Bluetooth communications taking place on your Android device.

Best Practices and Considerations:

• Pro Tip: To capture specific Bluetooth activities, have everything ready, then toggle your Bluetooth on and off right before performing the desired action. This way, you won't have to scroll through extensive log files.
• Remember to disable the HCI Snoop Log setting when you're done to conserve storage space and prevent unnecessary logging.
• Keep in mind that this method only works on Android 4.4 (Kit Kat) and later versions.
• While this technique is straightforward, it only provides a partial view of Bluetooth security, simulating a privileged adversary with device access.

Frequently asked questions