API Authentication/Authorization

I'm planning to use my metawear to drive a motor to open my door.
What's the best way to add some auth so that not everybody can open the door just by using the metawear app to turn on the pin that runs the motor driver?
Is it possible to block the API unless some conditions are met?



  • You could do it many ways, here are some random thoughts on top of my head:
    1. Use Parse/rest (some kind of backend app) and have a login in your App with a password and username
    2. Force users to bond their devices with the MetaWear upon first use
    3. You could use the MetaWear UUID/MAC and store this info somewhere in the phone (encrypted) and use it as an access code / password (or something along those lines)
    4. Ship all MetaWear motor drivers (your product) with an access code that you enter in the App the first time you use it
  • Hi Laura,

    Thanks for the answer and sorry for the delay. Didn't look into my metawear project for a while.

    Yes, all those ways that you suggested are possible but I guess that I would need to flash the metawear with a custom firmware, correct?
    It seems that the metawear, with the default firmware, is able to connect to any phone and respond to commands sent by the app.
    At least I didn't find out any way to add some kind of auth with the current firmware.
  • Jonas,
    You don't need custom firmware for my first three proposed ideas. 
    We now support bonding (see ANCS app and the latest firmware release) and if you use a backend for auth then it doesn't mean you need to alter the API or firmware on the device. Just use Parse or some other cloud backend in your App and done!
    For idea #4 you would need custom firmware or you could potentially use the device ID/key as your access code and then no custom firmware would be required.

  • Clear. Thanks Laura. I didn't understand what bonding was.
    I'll check out the ANCS app. :)

    Thanks again
  • Hi Laura,

    Sorry for bother you again.

    I wrote an iOS app that uses Parse as a backend. After authentication it bonds to the MetaWear and sends commands to turn on the GPIOS.
    All of this is fine.

    But even after bonding if I turn off bluetooth on the iphone I can still connect to the MetaWear with another phone using the example app and control it.

    I assumed that you were suggesting that after bonding with one device other devices would not be able to connect to it, but probably I just didn't get what you were telling me to do.

    Can you explain again as I was a complete dumb?

    Thanks so much

  • Jonas,

    By default Bluetooth is setup to be always connectable. Think about what would happen if you have one Bluetooth accessory only accessible to iPhoneX and then you lost iPhoneX. How would you then connect that "locked" accessory with your new iPhoneY? You can't really "block" a Bluetooth connection per-say. All devices on the market are connectable; it's just that most folks don't know the UUIDs of various devices so it takes some "engineering" and "hacking" to get data out.
    All you can do is code specific device names, device IDs, and endpoint UUIDs for data that are not "know to the public".
    You can use a login in the App so that once the iPhone talks to the device it accesses "hidden" UUIDs to get data out.
    Does that make any sense?
    Additionally, when you are logged in and authenticated through an App via a backend like Parse; you can then exchange some keys/password with the device (write a specific password to the device flash and store it permanently) and use it as a device password.
    Hopefully that also make sense.
  • edited April 2015
    Hi Laura,

    Thanks for your answer. I know more or less how bluetooth works. I just thought that you were suggesting something that would do what I need with the current firmware.
    Hidden UUIDs is not an option. But it seems that there's no way to do what I want with metawear's default firmware.
    I'll look at alternatives.
    I'm sorry for the bad communication.

    Thanks a lot for your time.

  • No worries Jonas. You should take a look at what some similar product are doing as a work around.
This discussion has been closed.