You are reading a single comment by @user141359 and its replies.
Click here to read the full conversation.
Espruino is a JavaScript interpreter for low-power Microcontrollers. This site is both a support community for Espruino and a place to share what you are working on.
@user141359
First of all thank you @fanoush, when I made this thread 8 months ago I was not aware which Espruino help articles are about Espruino in general and which also apply to Bangle.js 2 in particular. Maybe the homepage could be more specific here!
I know that there is a whitelist functionality. And AFIK also a BETA feature PIN to connect. But those, I believe, are both filters at the device level not on the app level!
On Android usually not all apps can read the notifications! Apps need to request
android.permission.BIND_NOTIFICATION_LISĀTENER_SERVICE. Would it be possible for an app to break this security sandbox by requesting the Bluetooth permission instead and then reading the notifications back from the Android companion app on the Bangle.js 2 watch? Or otherwise create mischief on the watch? (By installing additional apps or setting the time). Or sending notifications that I think came from the OS/Gadgetbridge but come instead from evilapp.Maybe the functionality to install more apps onto the watch should only be possible from some apps or the browser with an extra programming PIN, and not from all apps from that (whitelisted) device.
I guess what I would love to see is some sort of threat model how the watch behaves and what is guaranteed to work and what isn't. What is the responsiblity of the user to secure and what isn't and what the guarantees in terms of isolation and security are.
Thanks in advance!