
Using Web Bluetooth to Communicate with Bluetooth Devices - adunk
https://www.balena.io/blog/using-web-bluetooth-to-communicate-with-bluetooth-devices/
======
staticvar
I'm super interested in unpacking the reasons why folks think WebUSB and Web
Bluetooth "can't end well" as one user here put it. Would folks mind listing
their reasons? This is assuming there is some way to install a native app with
access to these APIs... But if you are in the camp of "no bluetooth ever" and
"no USB ever" that would be totally interesting to know as well :).

~~~
smacktoward
From a security perspective, you want to add features only when they're
seriously needed, not just because you can. Even if the new feature _seems_
completely safe, there may be some potential way to compromise it you're not
seeing, or some interaction it will have with other features that isn't
obvious until the two are shipping together.

The smallest attack surface is no attack surface at all.

~~~
clinta
From a security perspective you should consider what users are already doing
and if introducing a feature can be better security than that.

Users are already installing local applications from untrustworthy hardware
vendors just to interact with bluetooth devices. I think a web bluetooth
standard is an improvement on that.

------
guzik
We are actively using Web Bluetooth within our hardware debugging ecosystem
([https://www.aidlab.com/developer/debug](https://www.aidlab.com/developer/debug))
for our wearable. It plays great role, as:

* It's multiplatform.

* You can rapidly upload the changes (it's web)

* Bluetooth 4.0+ is faster than semihosting (and Bluetooth 5 even more).

* You don't have to use wires.

but what worries me is that there is a visible slowdown in the development of
Web Bluetooth (at least when we compare it to the rapid growth in 2015-2017).
Is it going to be a dead technology soon? Because it is way behind being a
mature tech.

~~~
nobodyshere
It is indeed very likely going to die. Webkit team isn't even considering it
anymore now.

~~~
neoeldex
Webkit itself is very likely to die xD. Who uses safari nowadays?

~~~
realusername
I would not say it's likely to die because it's obviously false since on iOS
it's the only choice but it's true that when you see the release logs of
Safari, it's moving very slowly very far behind Chrome or Firefox.

------
archi42
Oh, this is neat :). I was recently thinking about how to configure something
on an ESP8266 from my phone - with the ESP potentially being out of range of
the WiFi; so HTTP or attaching the ESP to my MQTT server will not be a
reliable option.

I was afraid I had to write an Android App to connect to the device via
Bluetooth, which sucks because I am neither an app nor a java dev. With the
web BT functionality I can now put a simple interface somewhere on the web,
open it on my device and control the ESP (I am not a web dev either, but
simple JS toy stuff is easy enough).

Of course this might require swapping the ESP8266 for an ESP32 if BLE is
strictly necessary (the former doesn't support BLE, afaict).

~~~
frabert
I don't think the ESP8266 supports any kind of Bluetooth at all

~~~
archi42
Ah, you're right, thanks - I had that mixed up anyway because until now I
wasn't interested in using BT in my hobby projects at all. So that's a nice
excuse to order an ESP32 or two or three.

------
user4294
HTTPS is good but it's not good enough for web api context because it only
protects client-server communications.

Prompting the user is good but it's not good enough for web api context
because users can't be fully informed by a one line prompt.

I was asked to help my mother in law with her PC. When I looked at the screen
it was half covered by W10 notifications from web sites. I asked her, how do
you use this. And she sad, I don't know how that happened and I don't know how
to stop it. Of course she gave permission but she could not understand how bad
web sites would abuse notifications so she couldn't make a fully informed
decision . It was sad. I turned all off.

Now, developers will say that it's impossible to fully inform a user but when
that's the case should we really push that anyway to the user?

~~~
skybrian
Hmm, at least it's easy for someone else (you) to help her fix it?

This is a bit of a tangent, but as tech support workers soon learn, it's
unrealistic to expect everyone in a large pool of users to be independent of
tech support. We have a myth of competent independence that works for some but
it's not reality.

This goes double when your business includes retirees. As people age, many
businesses have to figure out how to handle cognitive decline and death of
their customers gracefully. (I'm thinking financial institutions in
particular.)

Browsers try to make the open web safe for everyone, but it seems to be based
on the median user and many users are well below average.

------
alufers
I have recently tried communicating via BLE on an ESP32 using the Web
Bluetooth API on a hackathon. The experience was mediocre at best. Enabling an
experimental flag on the desktop version of Chrome 77 was reqired, we had to
use some hacks to overcome the 20 byte limit for writing into a
characteristic. Additionaly after 10 hours of constantly connecting and
disconnecting the device, it refused to work with any device except with one
laptop. I don't know if it was caused by the web api or the ESP32 but it was
quite an unpleasant superise.

~~~
matharmin
I had a similar experience with ESP32 + Web Bluetooth. Ran into very weird
issues, code that previously worked and then stopped working, even after
restarting the device. Eventually figured out that the issue was on my laptop
side (somewhere between the hardware, Ubuntu and Chrome), and it worked
perfectly from my Chromebook and Android phone. For a long time I never even
considered that the issue could be on the laptop, since I expected it to be
the ESP32 that's buggy.

What I did find is that it can give a very good UX when it's working: connect
directly from the browser to the ESP32, without requiring any WiFi setup or
other hack to find and pair the device.

------
filleokus
Maybe I'm an Apple fan boy, but the list of features WebKit mark as "Not
considering" [0] are indeed features I can see become awful security /
usability problems. Like WebUSB, that just can't end well...

[0]:
[https://webkit.org/status/#?status=not%20considering](https://webkit.org/status/#?status=not%20considering)

~~~
simion314
If an app really needs the feature it will have to distribute a native binary
(like you have/had with some web video/screenshare) so do you prefer to have
some applications that each one has to offer a Windows and Mac binary (no
Linux or mobile) ?

IMO this API should be off by default. Then you would get a native popup when
an application is trying to access them for an user to approve it, like this
was something Falsh did many years back when you attempted to access the
webcam or microphone. Speaking of Flash there were pages that had to use an
invisible Flash player(or Java apple) to work around missing features of
browsers. So personally I would like if it would be possible to have a browser
based, cross platform wideo chat, screen sharing or other cool application as
long is using free standards(I mean real ones not Chrome/Google wants it so is
a standard now ) . Sorry for the long response.

~~~
josteink
> If an app really needs the feature it will have to distribute a native
> binary (like you have/had with some web video/screenshare) so do you prefer
> to have some applications that each one has to offer a Windows and Mac
> binary (no Linux or mobile) ?

Yes. 100%. And I say that as a Linux-user.

If someone needs access to low level system and platform specific stuff, I
would like to have that confined and isolated in an app 100% separate from my
browser, which is already having a hard time staying secure.

That will also make such apps harder to make, so people will not make the
decision to require such APIs lightly, or “just” to profile a user.

This is the same position I have on WebDRM, and the way WebDRM has gone only
solidifies my stance.

~~~
Touche
> I would like to have that confined and isolated in an app 100% separate from
> my browser, which is already having a hard time staying secure.

So instead of having all of the security features that browsers have you would
prefer to run the application in an environment where code has all of the
permissions as the user running it. I'm sure malicious actors are onboard with
this proposal!

------
NKosmatos
Another nice blog post/mini-project from Balena. Even though there are other
similar solutions, the ease of use and instructions posted, make it very easy
to create your own project :-)

------
stabbles
I'm excited about BLE for the browser. I'm not sure what multiplatform (mobile
& desktop) alternatives there are except for Qt, and even Qt has bugs and open
issues you have to work around.

For instance, only Qt 5.13+ has support for discovering and connecting BLE
devices on Windows without pairing first -- if you are stuck on an LTS version
(5.12), BLE is awkward in use.

------
josteink
How about we just provide WebDMA instead and call it a day?

Clearly nobody cares about the security of the user anymore anyway.

~~~
Shoue
Every time someone posts Web Bluetooth someone brings up security, which is
fair, but I don't think it's productive to immediately dismiss it. The Chrome
developers behind the spec have thought a lot about the security implications.
It's not impossible to make Web Bluetooth more secure than tricking a user
into installing a malicious program, which isn't exactly a complex trick right
now.

This article from 2016 goes into some of the security of Web Bluetooth:

[https://medium.com/@jyasskin/the-web-bluetooth-security-
mode...](https://medium.com/@jyasskin/the-web-bluetooth-security-
model-666b4e7eed2)

------
kfihihc
If someone want to try Web Bluetooth, please look at this project[1]: a Web
Command Line Interface via NUS (Nordic UART Service).

[1]:[https://github.com/makerdiary/web-device-
cli](https://github.com/makerdiary/web-device-cli)

------
jpablo
While Web Bluetooth seems like a good idea to us making BLE devices, the truth
of the matter is that only google adopted it, and only such a small subset
that you have to design your device around Web Bluetooth.

I recently had to make a iOS app that embedded a webview that catches web
bluetooth calls and implemented them natively, to work around the fact that
Web Bluetooth doesn't work on Safari. I think that would be a maintenance
nightmare going forward.

~~~
sitkack
> embedded a webview that catches web bluetooth calls and implemented them
> natively, to work around the fact that Web Bluetooth doesn't work on Safari

This just broke my mind. Could you explain how/why this infinity mirror
contraption was built?

~~~
toast0
jpablo built a website that uses WebBluetooth to do something. That doesn't
work on Safari, so to make it work on iOS, jpablo built an app.

The app is mostly just a (safari) webview, but with hooks to satisfy the web
bluetooth api, by using native code.

~~~
sitkack
The ol ReverseDoubleWat ! A native app to shim a browser feature so the web
will work on mobile. Bringing the web to native mobile.

------
Hitton
Are IoT devices with Bluetooth that don't have Wi-Fi common?

~~~
d-sc
Bluetooth is much simpler to implement and cheaper than WiFi.

------
r00fus
Who's pushing WebBT? Facebook, Twitter?

I want to understand the industry support behind this protocol/standard and
the what they hope to gain from it.

------
reportgunner
Can somebody please help me understand what is cool about this ? Seems like a
web interface that can use bluetooth.

Was this previously impossible or something ?

~~~
The_rationalist
Firefox does not support web Bluetooth

~~~
pjmlp
With the Chromification of the Web that slowly matters less and less, sadly.

~~~
sitkack
We are within a stone's throw away from America Online or Prodigy, but almost
entirely self imposed. It is very interesting how monocultures and winner take
all systemics play out.

------
moonbug
Halloween has come early.

------
ForHackernews
Oh good, an exciting new attack vector!

~~~
MrQuincle
Sure, but why the big difference between Wifi and Bluetooth? You can reach
your Wifi devices from your browser. People do not argue that they want a
separate application to do so. They use the same application to reach the
internet versus the devices on their LAN.

------
akmarinov
No iOS support? Dead on arrival.

~~~
lucasverra
it's not even in considerations to implement in webkit

