Location-Based Connection APIs & Security Considerations

Deep-dive research into proximity technologies, security threats, privacy-preserving protocols, and regulatory landscape for a proximity-based decentralized social app where users can only connect with people they physically meet.

Last updated: April 2026

1. Location / Proximity APIs (2025-2026)

1.1 Bluetooth Low Energy (BLE)

BLE remains the most viable transport for proximity discovery on smartphones. Both platforms have tightened background restrictions significantly in 2025-2026.

Android: BluetoothLeAdvertiser / BluetoothLeScanner

API surface (unchanged since Android 12):

• BluetoothLeAdvertiser for broadcasting advertisements
• BluetoothLeScanner for discovering nearby devices
• BluetoothGatt / BluetoothGattServer for connected data exchange

Permission model (Android 12+, refined through Android 17):

Background scanning restrictions (progressive tightening):

• Android 8.0+: Background scan rate limited. Unfiltered scans throttled to ~5 results per 30 seconds.
• Android 10+: Apps cannot start BLE scans from background without a foreground service.
• Android 14+: Foreground service must declare android:foregroundServiceType="connectedDevice" in manifest. Service will be killed without this declaration. Runtime validation ensures app holds BLUETOOTH_CONNECT.
• Android 15+: Further foreground service launch restrictions. Fluoride 2.0 BLE stack deployed.
• Android 17 (2026): Unfiltered background scans stopped on screen-off. A UUID or device address filter is mandatory. PendingIntent-based scanning (startScan() with PendingIntent) is the recommended approach for background discovery when the app process is not running.

Recommended workarounds for background discovery:

1. PendingIntent scanning: Register a PendingIntent with BluetoothLeScanner.startScan() using ScanFilter with your service UUID. The system delivers scan results even when the app is not running.
2. CompanionDeviceManager: For continuous connection maintenance, migrate to CompanionDeviceManager which has system-level privileges for keeping connections alive.
3. Foreground service with connectedDevice type: Use ScanSettings.Builder with SCAN_MODE_LOW_POWER for continuous but battery-friendly scanning.

Key references:

• Android BLE Overview
• BluetoothLeAdvertiser API
• BluetoothLeScanner API
• Background BLE Communication

iOS: CoreBluetooth

API surface:

• CBCentralManager for scanning and connecting to peripherals
• CBPeripheralManager for advertising and serving GATT data
• CBPeripheral / CBService / CBCharacteristic for data exchange

Background BLE behavior (as of iOS 18-19, 2025-2026):

iOS has always been more restrictive than Android for background BLE. Key constraints:

• Background modes required: Apps must declare bluetooth-central and/or bluetooth-peripheral in UIBackgroundModes.
• Reduced advertisement in background: When backgrounded, CBPeripheralManager strips most advertisement data. Only the service UUID is retained, and it is moved into a special overflow area that is only visible to other iOS devices scanning for that specific UUID.
• Scanning requires UUID filter: Background scanning only invokes callbacks when scanning for specific CBUUIDs. Wildcard scans do not deliver results in background.
• iPhone 17 regression (2026): Reports indicate background scanning stops immediately on app backgrounding on iPhone 17, even with bluetooth-central in UIBackgroundModes. On iPhone 16 and earlier, background scanning continued at reduced intervals. This represents a significant behavioral change.
• Aggressive session termination: Advertise-then-scan sequences are interrupted when the user briefly switches apps, causing both CBPeripheralManager advertising and CBCentralManager scanning to stop.

Workarounds:

1. State Preservation and Restoration: CoreBluetooth can relaunch apps terminated by the system into the background when Bluetooth events occur. Apps must implement willRestoreState delegate methods.
2. CoreLocation beacon monitoring: Register as an iBeacon monitor via CLBeaconRegion. iOS itself monitors for the beacon and relaunches the app with a small background execution window when detected. This is the most reliable background detection mechanism on iOS.
3. BackgroundTasks framework: Schedule BGProcessingTask for periodic check-ins, though execution timing is unpredictable.

Key references:

• CoreBluetooth Documentation
• CoreBluetooth Background Processing

BLE 5.0 / 5.1 / 5.2 / 6.0 Feature Summary

1.2 NFC (Near Field Communication)

Android: Host Card Emulation (HCE)

Android provides comprehensive NFC support through multiple APIs:

• NfcAdapter: Core NFC API for tag discovery and NDEF reading/writing
• HostApduService: Host Card Emulation — allows Android to act as an NFC card, processing APDUs routed directly from the NFC controller to the application without requiring a hardware Secure Element
• HostNfcFService: FeliCa-specific HCE variant (primarily Japan market)
• NfcA / NfcB / IsoDep: Low-level tag technology access

HCE for P2P key exchange pattern:

Since Android Beam (native NFC P2P) was deprecated in Android 10, the recommended approach for bidirectional NFC data exchange is an HCE-based protocol:

Device A (Reader)              Device B (Card Emulator / HCE)
     |                                    |
     |--- SELECT AID (app identifier) --->|
     |<-- Response: B's public key -------|
     |--- A's public key + nonce -------->|
     |<-- HMAC confirmation --------------|
     |                                    |
     Total: ~150-200 bytes, <1 second

One device runs HostApduService to emulate a card containing the key material; the other uses NfcAdapter in reader mode. Roles can be swapped or coordinated via the app UI.

API version requirements:

• HCE: Android 4.4+ (API 19)
• Reader mode: Android 4.4+ (API 19)
• Last documentation update: February 2026

Key references:

• Host-based Card Emulation Overview

iOS: Core NFC

iOS NFC capabilities remain significantly more limited than Android:

• NDEF reading: Supported since iOS 11 (iPhone 7+)
• NDEF writing: Supported since iOS 13 (iPhone 7+)
• Tag reading (ISO 7816, ISO 15693, FeliCa, MIFARE): Supported since iOS 13
• P2P mode (NFC-DEP/SNEP): NOT supported. Apple has never exposed peer-to-peer NFC.
• Card emulation (HCE): NOT available to third-party developers for general use

iOS 18.1 NFC & SE Platform (2025):

Apple introduced the NFC & SE Platform API in iOS 18.1, opening the Secure Element to approved third-party developers. This enables card emulation for specific use cases: payments, transit cards, car keys, hotel keys, corporate badges, student IDs, event tickets, and loyalty cards.

However, this API:

• Requires a commercial agreement with Apple and payment of fees
• Is limited to specific approved use cases (not general-purpose data exchange)
• Requires industry-specific entitlements
• Is available in select countries (Australia, Brazil, Canada, Japan, New Zealand, UK, US as of 2025, expanding globally)

For our use case: The NFC & SE Platform is not suitable for general key exchange. The practical approach on iOS remains:

1. One-way NFC: Android device uses HCE to present key material; iOS device reads it via NFCNDEFReaderSession
2. QR code fallback: Universal fallback that works on all devices

Key references:

• Core NFC Documentation
• NFC & SE Platform

1.3 Wi-Fi Aware / Wi-Fi Direct

Wi-Fi Aware (Neighbor Awareness Networking / NAN)

Android:

• Supported since Android 8.0 (API 26) on capable hardware
• Based on Wi-Fi Alliance Wi-Fi Aware specification versions 2.0, 3.0, 3.1, and 4.0
• Enables discovery and P2P connections without an access point
• Android 14+: Added suspend/resume for active discovery sessions — lower power, faster resume
• Requires NEARBY_WIFI_DEVICES permission (Android 13+) instead of ACCESS_FINE_LOCATION
• Hardware support varies by device manufacturer; not available on all Android phones

iOS:

• Apple uses proprietary AWDL (Apple Wireless Direct Link) internally
• AWDL powers AirDrop and is used by Multipeer Connectivity under the hood
• No public Wi-Fi Aware / NAN API exposed to developers
• Accessible indirectly via MultipeerConnectivity or Network.framework with peer-to-peer Wi-Fi option

Privacy concerns:

• Wi-Fi probe requests leak MAC addresses and previously-connected SSIDs
• Wi-Fi Direct group formation exposes device names
• Best suited as a data transfer layer after trust is already established via BLE/NFC, not for discovery

Key references:

• Android Wi-Fi Aware Overview
• Android Wi-Fi Aware AOSP

Wi-Fi Direct (P2P)

• Creates peer-to-peer WiFi connection without infrastructure
• Range: ~100m (similar to normal WiFi)
• Bandwidth: Full WiFi speeds (50+ Mbps)
• Android: WifiP2pManager API, supported since Android 4.0
• iOS: Not directly accessible; available via Multipeer Connectivity or Network.framework

1.4 UWB (Ultra-Wideband)

UWB is the most promising technology for cryptographically secure proximity verification due to its physics-based distance measurement that is resistant to relay attacks.

Apple: NearbyInteraction Framework

Hardware:

• U1 chip: iPhone 11-14, Apple Watch Series 6-8, HomePod mini
• U2 chip: iPhone 15+, Apple Watch Series 9+, Apple Watch Ultra 2+
• U2 improvements: lower power consumption, wider detection range, faster connections, enhanced security
• U2 precision finding accuracy increased ~5x over U1

API: NearbyInteraction framework

• Provides distance and direction to nearby Apple devices or UWB accessories
• Returns NINearbyObject with distance (meters, centimeter accuracy) and direction (simd_float3 vector)
• Requires both devices to exchange a NIDiscoveryToken (typically over BLE or network)
• Range: ~30m with centimeter accuracy; U2 beyond 50m
• Uses Time of Flight (ToF) measurements — more accurate than RSSI

Limitations:

• Apple-only ecosystem (Apple to Apple or Apple to certified UWB accessories)
• Third-party UWB accessories must implement the Nearby Interaction accessory protocol with a certified UWB chipset (e.g., Qorvo)
• No direct Apple-to-Android UWB interoperability through this framework

Key references:

• Nearby Interaction Documentation
• Finding Devices with Precision
• Nearby Interaction with UWB

Android: UWB API

Hardware support:

• Available on select devices: Google Pixel 6 Pro+, Samsung Galaxy S21 Ultra+, select other flagships
• Not universally available — many mid-range and budget phones lack UWB

API: AndroidX Core UWB library

• Available since Android 12 (API 31)
• Controller/Controlee model for ranging sessions
• Provisioned STS (Scrambled Timestamp Sequence) for session security — more secure than static STS, supported on Android 14+
• RangingResult provides distance measurements with ~10cm accuracy

Key capabilities:

• Precise ranging (distance to ~10cm accuracy)
• Secure session establishment with per-session keys
• Available through Google Play Services (com.google.android.gms.nearby.uwb)
• Jetpack core-uwb library actively maintained (recent additions: RangingResultFailure for failure reporting)

Key references:

• Android UWB Developer Guide
• Android UWB AOSP
• Core UWB Jetpack Releases

UWB for Proximity Verification

UWB is uniquely valuable for our use case because:

1. Physics-based distance measurement: Time-of-flight cannot be spoofed without faster-than-light signal manipulation
2. Relay attack resistance: RTT-based distance bounding detects relay attacks that add latency
3. Centimeter accuracy: Can enforce strict proximity thresholds (e.g., "within 2 meters")
4. Complementary to BLE: Use BLE for discovery, UWB for proximity proof

Limitation: Not available on all devices. Must be optional enhancement, not requirement.

1.5 Google Nearby Connections API

Current status (2026):

• The Nearby Connections API remains available and documented
• Nearby Messages (a different product) was deprecated in December 2023 and was scheduled for full removal in December 2024, though the timeline was extended
• Nearby Connections continues to be maintained as of August 2025 documentation update
• Supports both Android and iOS (cross-platform)

Capabilities:

• Abstracts over BLE, WiFi Direct, WiFi Aware, and WiFi hotspot
• Three strategies: P2P_CLUSTER, P2P_STAR, P2P_POINT_TO_POINT
• Handles advertising, discovery, connection, and encrypted data exchange
• Automatic transport selection and upgrade (BLE for discovery, WiFi for bulk data)

Concerns for our use case:

• Play Services dependency: Requires Google Play Services. Does not work on degoogled Android (e.g., GrapheneOS, CalyxOS, LineageOS without GApps). This conflicts with the goal of not requiring any centralized dependency.
• Opaque protocol: Google controls the protocol internals. Cannot audit or customize the discovery/connection behavior.
• Deprecation risk: Google has a history of discontinuing APIs. The Nearby Messages shutdown demonstrates this risk.
• iOS limitations: iOS support exists but is more limited than Android.

Recommendation: Study Nearby Connections for protocol design inspiration, but do not depend on it. A custom protocol over raw BLE + WiFi Direct provides more control, wider device support, and no Google dependency.

Key references:

• Nearby Connections Overview
• Nearby API Home
• google/nearby on GitHub

1.6 Apple Nearby Interaction

Framework: NearbyInteraction (iOS 14+, macOS 12+, watchOS 8+)

What it enables:

• Distance and direction measurement to nearby Apple devices
• High-precision ranging via UWB (U1/U2 chips) with BLE fallback
• Returns NINearbyObject with distance (Float, meters) and direction (simd_float3)
• Session-based model: exchange NIDiscoveryToken out-of-band, then start ranging

Limitations:

• Apple-to-Apple only (or Apple-to-certified-UWB-accessory)
• No cross-platform support
• Privacy-conscious: discovery tokens are opaque, one-time-use
• Background operation limited — sessions may be paused when app is not in foreground

Relevance: Useful for Apple-to-Apple proximity verification as a secondary check, but cannot be the primary mechanism in a cross-platform app.

Key references:

• NearbyInteraction Framework

1.7 Apple Multipeer Connectivity / Network.framework

Multipeer Connectivity (MultipeerConnectivity.framework):

• Abstracts over BLE, WiFi, and peer-to-peer WiFi (AWDL)
• Automatic transport selection
• Built-in encryption option

Current status (2025-2026):

• Apple now recommends migrating to Network.framework with peer-to-peer WiFi for new projects
• Multipeer Connectivity stability issues reported on iOS 18+: connections only stable within ~2m in real environments
• Bluetooth-only mode (no WiFi) has been restricted since iOS 11
• iOS 26: AWDL (peer-to-peer WiFi) not available when cellular is active on some devices; requires WiFi infrastructure network

Network.framework alternative:

• Has opt-in peer-to-peer WiFi support
• More modern API, actively maintained
• Apple's recommended path forward

Key references:

• Multipeer Connectivity Documentation
• Network Framework

1.8 API Comparison Matrix

2. Security Concerns for Location-Based Features

2.1 BLE Relay Attacks

The threat: An adversary positions two relay devices — one near Alice, one near Bob — connected by an internet link. Alice's BLE advertisements are captured and replayed near Bob (and vice versa), making both devices believe they are physically close when they may be hundreds of miles apart.

NCC Group's 2022 demonstration showed this is practical: link-layer relay attacks bypass latency bounding AND link-layer encryption. The attack works because BLE's physical layer does not include time-of-flight measurements.

Why this matters for our app: If proximity is the trust anchor for establishing connections, relay attacks allow remote adversaries to forge the appearance of physical presence.

Mitigations (layered defense):

Recommended approach: Require NFC tap OR QR code scan (physical gesture) as the trust establishment step. Use BLE only for subsequent discovery of already-trusted contacts. Optionally use UWB for enhanced proximity verification on capable hardware.

The threat model for relay attacks in context of the full system is covered in Threat Model.

Key references:

• NCC Group: BLE Proximity Authentication Relay Attacks
• imec: Distance Bounding for Bluetooth
• Mitigating Relay Attacks with BLE and UWB (2025)

2.2 BLE Tracking and Fingerprinting

Even with MAC address randomization, BLE devices can be tracked through multiple side channels.

MAC address rotation:

• Standard mandates rotation every ~15 minutes
• Both iOS and Android implement this automatically for BLE advertisements
• However, rotation is NOT perfectly synchronized with other identifying data

Known fingerprinting vectors:

1. GATT profile fingerprinting: The Generic Attribute Profile exposes supported features and services. This profile can uniquely identify device models and sometimes individual devices, even across MAC rotations.

2. Clock drift / timing fingerprinting: Hardware clock skews create unique timing signatures that persist across MAC rotations.

3. RSSI-based fingerprinting: The RF characteristics of each transmitter create a unique signal strength pattern that can be used to link traces from the same device despite address randomization.

4. Token synchronization failures: On some platforms (notably Windows 10, and occasionally Apple devices), identifying tokens in advertisement payloads change out of sync with the MAC address rotation. During the brief window where the new MAC is paired with the old token (or vice versa), the device is linkable.

5. Advertisement payload analysis: Manufacturer-specific data, TX power levels, and supported service UUIDs can narrow device identity even without a stable MAC.

Mitigations for our app:

• Minimize advertisement content: Advertise only a rotating, opaque beacon ID. No device name, no model info, no stable service UUID.
• Synchronize rotation: Ensure our beacon ID rotates simultaneously with MAC address rotation.
• Encrypt beacon payload: Use a key derived from a daily rotating secret, so only known contacts can decode the beacon.
• Limit GATT exposure: Only expose GATT services after mutual authentication over an encrypted connection.
• Randomize TX power: Slight randomization of transmit power can reduce RSSI fingerprinting accuracy.

Key references:

• Argenox: BLE Security & Privacy 2025 Guide
• Tracking Anonymized Bluetooth Devices (PoPETS)
• BLE Tracker Security Analysis (2025)

2.3 Location Privacy Without GPS

Core principle: Proximity detection should determine "are we near each other?" without either device ever knowing or revealing its absolute geographic location.

Approaches that avoid GPS entirely:

1. BLE RSSI + connection: Detecting a BLE advertisement and connecting proves devices are within BLE range (~30m). No GPS needed. RSSI provides rough distance estimation.

2. UWB ranging: Provides precise relative distance (centimeters) without any absolute location. Pure physics-based measurement.

3. NFC tap: Physical contact (~10cm) is the strongest proximity proof possible, with zero location data involved.

4. BLE Channel Sounding (6.0): Centimeter-accurate relative distance without GPS.

What to avoid:

• Never request or store GPS coordinates
• Never use geofencing APIs (which require location permissions)
• Never use WiFi SSID-based location (which maps to geographic databases)
• Never embed location in any protocol message
• Disable all location-related permissions in manifest/entitlements

Residual risks:

• The OS itself may record BLE scan results for its own location services (see section 2.5)
• WiFi probe requests can reveal location history (see section 2.4)
• App store review may question why a "proximity" app does not request location permissions

2.4 Side-Channel Leaks

WiFi Probe Requests

When WiFi is enabled, devices periodically broadcast probe requests containing:

• Device MAC address (randomized on modern devices, but not always)
• SSIDs of previously connected networks (on older devices and some configurations)

Research findings:

• ~25% of probe requests contain SSIDs of previously-connected networks
• SSIDs can reveal home addresses, workplaces, and visited locations
• Over 41% of Android devices run version 12 or below (as of January 2025), making many devices vulnerable
• Probe requests can be used to trilaterate device location with ~1.5m accuracy

Mitigation: Our app cannot control WiFi probe behavior, but we should:

• Document the risk for users
• Recommend disabling WiFi when not needed
• Never use WiFi scanning as a proximity signal (only WiFi Direct for data transfer after trust established)

BLE Scan Results Leaking to Other Apps

A 2025 study of 52 wireless-scanning SDKs on Android revealed:

• SDKs piggyback on permissions granted to the host app for secondary purposes
• 86% of analyzed apps collect sensitive data including device identifiers, GPS, and WiFi scan results
• SDKs perform "ID bridging" — linking Android Advertising IDs with WiFi MAC addresses for persistent cross-reset tracking
• Methods exist to bypass OS restrictions using legacy APIs or side channels

Mitigation: Our app should:

• Request only the minimum permissions needed
• Use neverForLocation=true on BLUETOOTH_SCAN permission to signal we don't use BLE for location
• Warn users about the risks of other apps on their device

Key references:

• WiFi Probe Requests Expose User Data (SecurityWeek)
• Your Signal, Their Data: Wireless-scanning SDKs in Android (2025)

2.5 Platform-Level Surveillance

Both iOS and Android use BLE and WiFi scan data at the OS level for location services, independent of any app's behavior.

Apple:

• Uses BLE beacon observations, WiFi access point scans, and device-to-device ranging for its location services
• AirTag / Find My network performs continuous BLE scanning across all iPhones
• Apple collects crowdsourced WiFi and BLE data to build location databases
• Even with Location Services disabled, some system-level scanning continues

Android / Google:

• Google Play Services collects WiFi and BLE scan data for Google Location Services
• "WiFi and Bluetooth scanning" toggle (separate from WiFi/BLE on/off) allows scanning even when WiFi/BLE appear disabled
• Scanned data is sent to Google to improve location accuracy
• On devices without Google Play Services (GrapheneOS, etc.), this collection does not occur

Implications for our app:

• Even if our app never touches location data, the OS may correlate BLE activity with geographic location
• A sophisticated adversary with access to Apple/Google's location databases could potentially determine where and when our app's BLE beacons were detected by other devices
• This is a fundamental platform-level risk that cannot be fully mitigated at the app level

Mitigation strategies:

• Support and recommend degoogled Android (GrapheneOS, CalyxOS) for highest-threat users
• Recommend disabling "WiFi and Bluetooth scanning" in Android settings
• Document this risk transparently for users
• The offline-only architecture minimizes exposure: no data leaves the device over the internet

2.6 Wormhole Attacks in Mesh/Proximity Networks

The threat: In a BLE mesh or proximity network, two colluding adversaries create a "tunnel" (wormhole) between distant parts of the network. They capture packets in one location and replay them in another, making distant nodes appear to be neighbors.

How it applies to our app: If our app supports multi-hop message forwarding (e.g., Alice passes a message to Bob, who passes it to Carol), wormhole attacks could:

• Disrupt routing by attracting traffic through the wormhole
• Make distant users appear to be in proximity
• Compromise the "physical meeting" guarantee if discovery relies on BLE mesh

Mitigation approaches:

1. No multi-hop routing: The simplest defense. Our app's BLE discovery should be direct (single-hop) only. Messages are only exchanged between devices that are directly in BLE range. No mesh forwarding.

2. Distance bounding per hop: If multi-hop is ever needed, each hop must include a distance bounding check (UWB or BLE Channel Sounding) to verify physical proximity.

3. Statistical detection: Monitor for anomalous neighbor counts or connectivity patterns that suggest wormhole presence.

4. Trust-based routing: Only forward messages through authenticated contacts, not arbitrary nearby devices.

Recommendation: Avoid mesh networking entirely for discovery and trust establishment. Use direct BLE connections only. If store-and-forward is needed for message delivery between contacts, it should be contact-to-contact only (not mesh).

2.7 MITM on Initial Key Exchange

The threat: During the NFC tap or QR code scan that establishes a new contact, a man-in-the-middle could intercept and replace the public keys being exchanged.

NFC MITM feasibility:

• Theoretical MITM on NFC is possible because the standard lacks built-in device authentication
• However, practical NFC MITM is extremely difficult: requires attacker hardware within ~3cm of both devices simultaneously, with equipment that is large and conspicuous
• For our use case (two people deliberately tapping phones together), NFC MITM is effectively infeasible in practice

QR code MITM feasibility:

• QR code displayed on screen could be photographed or relayed (screen sharing, shoulder surfing)
• A compromised device could display a manipulated QR code
• More feasible than NFC MITM, but still requires physical proximity to the exchange

Mitigations:

1. Short Authentication String (SAS): After key exchange, both devices compute and display a short verification code (e.g., 6-digit number or emoji sequence). Users verbally confirm the code matches. This detects any key substitution.

2. Mutual exchange: Both devices exchange keys simultaneously (or sequentially), and both verify. A MITM must substitute keys in both directions and produce matching SAS on both devices — computationally infeasible.

3. NFC as primary: Prefer NFC for key exchange where available. The ~10cm range is a strong physical constraint that makes MITM impractical.

4. Post-exchange verification: After initial key exchange, the first BLE-authenticated reconnection serves as an implicit confirmation that the correct keys were exchanged.

Key references:

• MITM Prevention in NFC via Out-of-Band Key Exchange (Texas A&M)
• NFC Security Vulnerabilities (Cossack Labs)

3. Privacy-Preserving Proximity Protocols

3.1 Private Set Intersection (PSI) for Contact Discovery

What it is: PSI allows two parties to compute the intersection of their private sets without revealing any elements not in the intersection. For contact discovery, this means: "which of my contacts are also your contacts?" without either party revealing their full contact list.

Relevance to our app: If we ever implement a "discover mutual friends" feature or a way to check if a nearby stranger is a friend-of-a-friend, PSI could enable this without revealing the full social graph.

State of the art (2025):

• Updatable PSI: New research allows PSI over incrementally updated sets, avoiding recomputation over entire contact lists when contacts change. Uses a small number of PSIs over smaller sets instead of one PSI over the entire updated set.
• Laconic Updatable PSI: Eliminates the need for a trusted third party, achieves constant communication from receiver to sender and linear from sender to receiver, and partially hides set sizes.
• Unbalanced PSI: Optimized for scenarios where one set is much larger (server) and one is small (client) — less relevant for P2P, but useful if a relay/room server ever needs to perform contact matching.

Practical considerations:

• PSI is computationally expensive for large sets on mobile devices
• For our offline-first model, PSI would run locally between two BLE-connected devices
• Sets would be small (personal contact lists, not server-scale databases)
• Oblivious Transfer (OT) based PSI protocols are most practical for mobile: well-studied, reasonable performance

Key references:

• Updatable PSI (ePrint 2025/2147)
• Unbalanced PSI (PoPETS 2025)

3.2 Distance Bounding Protocols

What they are: Cryptographic protocols that allow a verifier to establish an upper bound on the physical distance to a prover. They work by measuring the round-trip time of cryptographic challenge-response exchanges, where the speed of light provides an unforgeable physical constraint.

Bluetooth Channel Sounding (BLE Core 6.0):

The most significant development for BLE distance bounding is Channel Sounding, introduced in the Bluetooth Core 6.0 specification (September 2024):

• Phase-Based Ranging (PBR): Uses the phase of RF signals across multiple frequencies to calculate distance with centimeter-level precision
• Round-Trip Time (RTT): Secondary ranging method that measures time-of-flight of cryptographically scrambled packets. Acts as a secure distance bounding countermeasure against relay attacks.
• Security model: RTT uses cryptographic scrambling so an attacker cannot predict or pre-compute responses. Any relay adds latency that is detectable.
• Accuracy: Sub-meter to centimeter-level
• Range: Up to ~150m

Hardware availability timeline:

• Chips and modules: Available from Nordic (nRF54L, nRF54H series), Silicon Labs, and others as of 2025
• Smartphones: A small number of flagship phones in 2025; broader adoption expected in 2026 product lines
• Mass consumer adoption: Estimated CES 2026 announcements and beyond

UWB distance bounding:

• Already available on flagship phones (iPhone 11+, Pixel 6 Pro+, Samsung S21 Ultra+)
• Time-of-flight measurement at ~10cm accuracy
• Built-in secure ranging with session keys (Provisioned STS on Android 14+)
• Used commercially for car keys, door locks, and Find My-type features

For our app: BLE Channel Sounding will eventually provide distance bounding natively in BLE. Until hardware is ubiquitous, UWB provides the same capability on flagships. For other devices, NFC proximity (~10cm touch) remains the strongest physical proximity proof.

Key references:

• Bluetooth Channel Sounding Overview
• Bluetooth Core 6.0 Feature Overview
• Secure Distance Bounding for Bluetooth (Bluetooth SIG)
• imec: Bluetooth Channel Sounding Distance Measurement

3.3 BLE 5.1 Direction Finding (AoA / AoD)

What it is: Bluetooth 5.1 introduced direction finding using Angle of Arrival (AoA) and Angle of Departure (AoD). Rather than measuring only signal strength (RSSI), these techniques use the phase of the received signal across multiple antennas to estimate the direction of a transmitter.

AoA (Angle of Arrival):

• Transmitter uses a single antenna
• Receiver uses an antenna array
• Receiver calculates signal direction from phase differences across antenna elements

AoD (Angle of Departure):

• Transmitter uses an antenna array, cycling through elements
• Receiver (single antenna) measures phase shifts to compute direction

Relevance to proximity verification:

• Provides directional information in addition to distance estimation
• Could verify that a device is not only nearby but in a specific physical direction (e.g., "in front of me")
• Better accuracy than RSSI alone for distance estimation

Security vulnerabilities:

• Attackers can modify the phase of the Constant Tone Extension (CTE) during transmission to artificially alter the detected angle
• This means AoA/AoD can be spoofed by a sophisticated attacker with a custom transmitter
• Direction finding is NOT a replacement for secure distance bounding

Hardware requirements:

• Requires multi-antenna arrays, which smartphones do not typically have
• Primarily deployed in fixed infrastructure (locators in warehouses, hospitals, retail)
• Not practical as a phone-to-phone proximity verification mechanism

Assessment: AoA/AoD is not suitable as a primary proximity verification mechanism for phone-to-phone scenarios due to hardware requirements and spoofability. However, it could enhance location accuracy in infrastructure-supported scenarios.

Key references:

• Bluetooth Direction Finding (Nordic Semi)
• Bluetooth.com: Direction Finding
• BLE 5.1 Direction Finding Security Analysis (PMC)

3.4 Private Proximity Testing

What it is: Cryptographic protocols that let two devices determine if they are "near" each other without revealing their actual locations to each other or any third party.

Foundational work (Narayanan, Thiagarajan, Lakhani, Hamburg, Boneh — Stanford):

• Proposed protocols where two parties can test proximity without revealing location
• Uses location tags generated from the physical environment (e.g., visible WiFi networks, BLE beacons) rather than GPS
• Privacy property: If parties are NOT near each other, neither learns anything about the other's location

Protocol approaches:

1. Location-tag-based: Devices observe ambient signals (WiFi SSIDs, BLE beacons) to create a "location tag." Proximity testing checks similarity of location tags without revealing them. Uses techniques like oblivious transfer or homomorphic encryption.

2. Napping party extensions: Protocols allowing one party to go offline during proximity testing — relevant for asynchronous scenarios (e.g., checking if someone was nearby earlier).

3. GSM/cellular-based location sketches: Uses cellular network observations as location tags. More reliable coverage than WiFi/BLE in some environments.

Applicability to our app:

Private proximity testing is a fascinating research area but may be overengineered for our specific use case:

• Our app uses direct BLE communication — if two devices can exchange BLE packets, they are definitionally nearby
• We don't need to "test" proximity without revealing location; we prove proximity by the existence of a direct radio link
• These protocols are more relevant for server-assisted scenarios (e.g., a dating app asking "is anyone I know nearby?" without revealing locations to the server)

Where it could be useful: If we ever implement a "check if any friends are nearby without broadcasting" feature, PSI-like protocols combined with private proximity testing could enable this in a privacy-preserving way.

Key references:

• Location Privacy via Private Proximity Testing (Stanford)
• Where are you Bob? Privacy-Preserving Proximity Testing with a Napping Party
• Efficient Private Proximity Testing with GSM Location Sketches

4. Regulatory and Legal Considerations

4.1 GDPR and BLE Scanning

Is a BLE advertisement "personal data" under GDPR?

Yes, in most cases. The GDPR defines personal data broadly as any information relating to an identified or identifiable natural person. BLE advertisements can constitute personal data when they contain:

• Device MAC addresses (even randomized ones, if they can be linked to a device over a rotation period)
• Service UUIDs that are unique to an app installation
• Any payload data that could identify a user

Key GDPR principles for BLE-based apps:

1. Data minimization (Art. 5(1)(c)): Collect only the BLE data strictly necessary. Do not log or store scan results beyond what is needed for the immediate operation.

2. Purpose limitation (Art. 5(1)(b)): BLE scan data collected for proximity discovery must not be repurposed for tracking, analytics, or advertising.

3. Consent (Art. 6/Art. 7): If BLE scanning collects personal data, a lawful basis is required. For our app, "consent" (user explicitly enables proximity discovery) or "legitimate interest" (core app function) could apply.

4. Transparency (Art. 13/14): Users must be informed about what BLE data is collected, how it is processed, and for what purpose.

ePrivacy Directive (still in force as of 2026):

• The ePrivacy Regulation proposal was withdrawn by the European Commission in February 2025
• The existing ePrivacy Directive continues to apply
• Article 5(3) covers tracking techniques including BLE beacons
• EDPB guidelines clarify that the Directive covers new and emerging tracking techniques
• Consent is required unless the processing is "strictly necessary" for the service requested by the user

Our app's favorable position:

• We never transmit BLE data over the internet (offline-first)
• We never store BLE scan results beyond the immediate discovery session
• We use rotating, unlinkable identifiers
• The user explicitly opts into proximity discovery
• No server ever receives BLE data

4.2 Apple/Google App Store Policies

Apple App Store (2025-2026)

BLE-related requirements:

• Must declare bluetooth-central and/or bluetooth-peripheral in UIBackgroundModes if using BLE in background
• Must provide clear explanation in App Review notes for why background BLE is needed
• Privacy Nutrition Labels must accurately disclose Bluetooth data usage
• Apps requesting Bluetooth access must explain the purpose in the permission dialog string (NSBluetoothAlwaysUsageDescription)

Privacy policy requirements (iOS 18+):

• Apps must provide Privacy Nutrition Labels detailing all data collected
• Apple's App Tracking Transparency (ATT) framework applies if BLE data could be used for tracking across apps/websites (not applicable to our use case since we don't track)
• Apps must not use BLE or WiFi to fingerprint devices for advertising purposes

Potential review concerns for our app:

• Apple may question why a "social" app does not require account creation or phone number verification
• Background BLE usage requires strong justification
• Encrypted communications may face scrutiny depending on jurisdiction

Google Play Store (2025-2026)

Permission-related policies:

• Must comply with Android's tiered permission model (BLUETOOTH_SCAN, BLUETOOTH_CONNECT, BLUETOOTH_ADVERTISE)
• Must declare NEARBY_WIFI_DEVICES instead of location permissions for WiFi P2P (Android 13+)
• Foreground service declarations must match actual usage (connectedDevice type)
• Target API level requirements: Android 14+ (API 34) required for new apps as of 2025

Privacy requirements:

• Data Safety section must accurately describe Bluetooth data practices
• Must provide a privacy policy accessible from the store listing
• Apps collecting BLE scan data must disclose this in Data Safety

App Store Accountability Acts (effective January 1, 2026):

• New US state laws require app stores and developers to adopt Apple/Google APIs for age verification and parental consent
• May affect apps that allow unverified anonymous connections
• Our app's anonymous-by-default model may need careful positioning relative to these laws

4.3 Proximity-Specific Regulations

Contact tracing precedent:

• During COVID-19, many jurisdictions created specific regulations for proximity-based apps
• EDPB adopted guidelines on location data and contact tracing apps (Guidelines 04/2020)
• Key principle: proximity data should be processed on-device, not centralized
• Our app's fully decentralized architecture aligns well with these principles

Lawful intercept obligations:

• Many jurisdictions require telecommunications providers to support lawful interception
• Our app is not a telecommunications service in the traditional sense
• The "structural" argument (we cannot intercept because no server exists) is the strongest legal position
• However, some jurisdictions are expanding interception requirements to cover messaging apps (e.g., EU's proposed Chat Control regulation)

Export controls:

• Strong encryption in apps may be subject to export control regulations (US EAR, Wassenaar Arrangement)
• Apps using standard encryption (AES, Signal Protocol) generally qualify for License Exception ENC
• Must file an annual self-classification report with the US Bureau of Industry and Security (BIS) if distributing via US app stores
• Post-quantum cryptography (ML-KEM/Kyber) is increasingly common and should not pose additional export issues

5. Key Takeaways and Recommendations

Recommended Technology Stack for Proximity

Trust Establishment (one-time, in person):
  Primary:   NFC (Android-Android) or QR Code (universal)
  Secondary: UWB proximity proof (where available)

Ongoing Discovery (background, automatic):
  Primary:   BLE with rotating beacons
  Future:    BLE Channel Sounding (when hardware available)

Data Transfer (after trust established):
  Small data: BLE GATT
  Bulk data:  Wi-Fi Direct / Wi-Fi Aware

Proximity Verification (optional enhancement):
  Primary:   UWB ranging (iPhone 11+, Pixel 6 Pro+)
  Future:    BLE Channel Sounding (BLE 6.0)
  Fallback:  RSSI threshold (weak, supplementary only)

Critical Security Principles

1. Never rely on BLE alone for proximity proof. BLE relay attacks are demonstrated and practical. Always require a physical gesture (NFC tap, QR scan) for trust establishment.

2. BLE is for discovery, not authentication. Use BLE to detect that a known contact is nearby, then authenticate using pre-shared cryptographic keys.

3. Minimize all broadcast data. BLE advertisements should contain only a rotating, encrypted beacon ID. Zero identifying information.

4. Defense in depth for proximity: NFC/QR (physical) + BLE (discovery) + UWB/Channel Sounding (distance verification where available).

5. No GPS, ever. Proximity is determined by direct radio link existence, not geographic coordinates.

Platform-Specific Strategy

Android: Full-featured implementation possible. HCE for NFC, full BLE scanning/advertising, Wi-Fi Aware, UWB on flagships. Main challenge: background scanning restrictions require careful foreground service management.

iOS: More constrained. No NFC P2P (use QR code or one-way NFC read). Significant background BLE limitations (especially iPhone 17+). Use CoreLocation iBeacon monitoring as workaround for background detection. UWB available via NearbyInteraction. Apple's Multipeer Connectivity / Network.framework available but Apple-only and opaque.

Regulatory Position

Our app's privacy-by-design architecture is well-aligned with GDPR, ePrivacy, and data protection principles:

• No personal data collected or transmitted
• No server-side processing
• On-device only
• User-initiated proximity discovery
• Rotating, unlinkable identifiers

The primary regulatory risk is around lawful intercept obligations and the trend toward requiring backdoors in encrypted communications.

References

Platform Documentation

• Android BLE Overview
• Android BLE Background Communication
• Android Bluetooth Permissions
• Android NFC HCE
• Android Wi-Fi Aware
• Android UWB
• Apple CoreBluetooth
• Apple Core NFC
• Apple NearbyInteraction
• Apple Multipeer Connectivity
• Apple NFC & SE Platform
• Google Nearby Connections

Bluetooth Specifications

• Bluetooth Core 6.0 Feature Overview
• Bluetooth Channel Sounding
• Bluetooth Direction Finding
• Secure Distance Bounding for Bluetooth (Bluetooth SIG)

Security Research

• NCC Group: BLE Relay Attacks
• Argenox: BLE Security & Privacy 2025 Guide
• Tracking Anonymized Bluetooth Devices (PoPETS)
• Your Signal, Their Data: Wireless-scanning SDKs (2025)
• Mitigating Relay Attacks with BLE and UWB (2025)
• BLE Tracker Security (2025)
• imec: Distance Bounding for Bluetooth

Privacy-Preserving Protocols

• Location Privacy via Private Proximity Testing (Stanford)
• Private Proximity Testing with Napping Party
• Updatable PSI (ePrint 2025)
• Unbalanced PSI (PoPETS 2025)
• GSM Location Sketches for Private Proximity

Regulatory

• ePrivacy Regulation Withdrawal (CMS, Feb 2025)
• EDPB Guidelines on Tracking Techniques (ePrivacy Directive)
• EDPB Guidelines on Contact Tracing
• App Store Accountability Acts (2026)