Proximity Networking Technologies

This section covers the physical-layer technologies that enable device-to-device communication without internet infrastructure.

Bluetooth Low Energy (BLE)

BLE is the most promising transport for proximity discovery and short-range communication on modern smartphones.

How BLE discovery works:

Advertising: A device broadcasts small packets (up to 31 bytes, or 255 bytes with extended advertising in BLE 5.0) at configurable intervals
Scanning: Nearby devices listen for advertisements and filter by service UUIDs
Connection: A "central" device initiates a connection to a "peripheral"
GATT exchange: Connected devices read/write data through the Generic Attribute Profile

Key specifications:

Range: 10–100m typical (up to 240m in open air with BLE 5.0). Walls and obstacles reduce this significantly — realistic indoor range is 10–30m
Bandwidth: ~1 Mbps (BLE 5.0), lower for BLE 4.x. Sufficient for text/small data, not for large media
Power: Designed for low power. Advertising at 1-second intervals uses minimal battery
Latency: Connection setup takes 1–3 seconds. Data exchange is near-instant once connected

Privacy considerations for BLE:

MAC address rotation: Modern BLE devices rotate their MAC address to prevent tracking. Both iOS and Android do this automatically
Advertisement content: Must be carefully designed to avoid leaking identity. Use randomized service UUIDs or encrypted advertisement payloads
Relay attacks: An adversary could relay BLE advertisements over the internet to fake proximity. Mitigate with challenge-response over the BLE connection and/or requiring NFC tap (which is hard to relay due to ~10cm range)

For a detailed security threat analysis of BLE relay attacks, fingerprinting, and platform surveillance, see Location APIs & Security.

Platform APIs:

Android: BluetoothLeAdvertiser + BluetoothLeScanner for discovery, BluetoothGatt for data exchange
iOS: CoreBluetooth framework — CBPeripheralManager for advertising, CBCentralManager for scanning. Major limitation: iOS heavily restricts background BLE — apps can advertise in background but with reduced duty cycle and stripped advertisement data

Privacy-enhanced BLE discovery pattern:

1. Device advertises a rotating, unlinkable beacon ID
2. Nearby device scans and detects the beacon
3. Devices establish BLE connection
4. Over the connection, devices perform a cryptographic handshake:
   - If they are existing contacts: mutual authentication using stored keys
   - If they are strangers: exchange ephemeral public keys for initial contact
5. Authenticated contacts proceed to message sync
6. Strangers see each other as "someone nearby" — no identity revealed until deliberate introduction

NFC (Near Field Communication)

NFC is ideal for the initial trust establishment moment — the "tap to connect" gesture.

How it works:

Range: ~4–10cm — essentially requires devices to touch
Modes: Reader/Writer, Card Emulation, and Peer-to-Peer (P2P)
P2P data exchange: Uses SNEP (Simple NDEF Exchange Protocol) to transfer structured data
Speed: 106–424 kbps. More than enough for key exchange
Connection time: Milliseconds — feels instant

What to exchange via NFC tap:

NDEF Record:
  - Application ID (to launch the app if not running)
  - Ed25519 public key (32 bytes)
  - Ephemeral Diffie-Hellman public key (32 bytes)
  - Optional: user-chosen display name (encrypted to recipient)
  - HMAC for integrity verification
Total: ~150 bytes — well within NFC capacity

Privacy strengths:

The ~10cm range makes relay attacks extremely difficult (attacker would need physical access)
No network traffic generated — purely local
The tap is a deliberate physical action — strong signal of consent
No tracking possible (no broadcast, no advertisement)

Limitations:

Android: Full NFC P2P support (Android Beam was deprecated but Host-based Card Emulation and NDEF push still work)
iOS: Limited NFC — can read NDEF tags but P2P is restricted. Workaround: one device writes, other reads via HCE (Host Card Emulation) pattern
Not all devices have NFC: Fallback to QR code scanning is essential

NFC vs QR code for trust establishment:

	NFC Tap	QR Code Scan
Range	~10cm (touch)	~0.5–2m (visual)
Speed	Instant	2–5 seconds
Both devices active?	Yes (P2P) or one passive (HCE)	One displays, one scans
Relay attack resistance	Excellent (range too short)	Moderate (screen could be relayed)
Device support	Most Android, limited iOS	Universal (camera + screen)
User gesture	Natural (tap)	Slightly awkward (point camera)

Recommendation: Support both. NFC as primary on Android, QR code as universal fallback.

WiFi Direct / Wi-Fi Aware

Higher-bandwidth alternative to BLE for when devices need to exchange larger amounts of data.

WiFi Direct:

Creates a P2P WiFi connection without an access point
One device acts as a "Group Owner" (soft AP), the other connects
Range: ~100m (similar to normal WiFi)
Bandwidth: Full WiFi speeds (50+ Mbps)
Limitation: The group owner's device info can leak. Connection setup is visible to nearby WiFi-aware devices

Wi-Fi Aware (Neighbor Awareness Networking / NAN):

Designed specifically for proximity discovery + P2P connections
Devices discover each other without connecting to any network
Lower power than WiFi Direct — can run as background service
Android: Supported from Android 8.0+ on capable hardware
iOS: Uses proprietary AWDL (Apple Wireless Direct Link) internally but does not expose Wi-Fi Aware APIs. AWDL powers AirDrop and is accessible indirectly via Multipeer Connectivity

Privacy concerns with WiFi:

WiFi probe requests can leak device identity (MAC address, SSIDs)
WiFi Direct group formation exposes device names
Better suited as a data transfer layer after trust is established, not for discovery

Platform Frameworks

Apple Multipeer Connectivity (iOS/macOS):

Abstracts over WiFi, BLE, and peer-to-peer WiFi
Automatic transport selection — uses whatever's available
Built-in encryption option
Limitation: Apple-only. Opaque protocol (not interoperable). Background restrictions on iOS

Google Nearby Connections (Android):

Abstracts over BLE, WiFi Direct, WiFi Aware, and WiFi hotspot
Supports advertising, discovery, and P2P data exchange
Three connection strategies: P2P_CLUSTER, P2P_STAR, P2P_POINT_TO_POINT
Limitation: Primarily Android. Requires Google Play Services

For a cross-platform, privacy-first app: These platform frameworks are useful references but cannot be relied on directly. A custom protocol over BLE (with WiFi Direct escalation for bulk data) provides the most control and cross-platform reach.

Local File Transfer: UX Precedents

A growing ecosystem of privacy-respecting local network file sharing tools demonstrates that users accept — and prefer — proximity-based transfer when the UX is right. These are not messaging protocols, but they validate our transport model and offer implementation lessons.

LocalSend

localsend.org · GitHub

Open-source AirDrop alternative using REST API over HTTPS on local WiFi. Devices discover each other via UDP multicast. No internet required, no accounts, no cloud.

Discovery: UDP multicast on the local subnet — instant, no pairing required
Transport: HTTPS with self-signed certificates, fingerprint-verified on first use
Platforms: Android, iOS, Windows, macOS, Linux
Privacy: No registration, no cloud, no telemetry. Data stays on the local network
Lesson: Clean trust model — TLS fingerprint shown to user for manual verification (analogous to our QR key exchange). The "announce then verify" pattern maps directly to our BLE discovery flow.

PairDrop

pairdrop.net · GitHub

Browser-based AirDrop-style file sharing using WebRTC for P2P transfer and WebSockets for signaling. Improved fork of Snapdrop. Works over local WiFi or temporarily paired rooms.

Discovery: Devices on the same network see each other automatically in the browser
Transport: WebRTC (P2P after signaling)
Privacy: No login, no server-side storage. Self-hostable signaling server
Lesson: Proves that zero-friction proximity pairing (open a webpage, see nearby devices) is the UX benchmark users expect. Our app should feel this fast.

Magic Wormhole

magic-wormhole.io · GitHub

CLI tool for securely transferring files between any two computers using a short human-readable code ("7-crossbow-clockwork"). Uses PAKE (Password-Authenticated Key Exchange) to establish a shared secret from the code, then encrypts the transfer with NaCl.

Protocol: SPAKE2 (PAKE) for key exchange from a short code; NaCl secretbox encryption
Lesson: PAKE for in-person key exchange is a compelling alternative to QR codes — two people verbally agree on a short code, and cryptography does the rest. No cameras needed. We should evaluate PAKE as a fallback trust establishment mechanism (e.g., for users who can't scan QR codes).

OnionShare

onionshare.org · GitHub

Tor-based file sharing and chat tool. Creates a Tor hidden service to host files; recipients access via .onion address. Strong anonymity and censorship resistance.

Privacy: Sender and receiver are both anonymous; the .onion address is the only shared secret
Lesson: Demonstrates how our optional online relay mode (Tor) can support anonymous file/message delivery without a central server. OnionShare's model of ephemeral hidden services is directly applicable to our optional internet mode.

croc

schollz.com/tinker/croc · GitHub

Command-line tool for encrypted P2P file transfer using a relay for NAT traversal. Uses PAKE for key agreement (same concept as Magic Wormhole but different relay model).

Lesson: Shows how a relay server can facilitate P2P connections without reading the content — the relay is used purely for NAT traversal; all data is E2E encrypted between peers. This maps to our optional internet relay model.

Proximity Transfer Pattern Summary

All these tools converge on the same architecture our proximity layer needs:

1. Discovery   — UDP multicast / BLE advertising / user shares code
2. Pairing     — fingerprint verification / QR scan / PAKE code exchange
3. Channel     — encrypted P2P (WebRTC / BLE GATT / TLS-pinned HTTP)
4. Transfer    — data exchange
5. Termination — ephemeral session, no persistent server state

The UX innovations most relevant to our app:

LocalSend's fingerprint trust → maps to our NFC tap (device fingerprints exchanged)
PairDrop's "open app, see people" → maps to our BLE passive discovery screen
Magic Wormhole's PAKE → fallback for users without camera/NFC
OnionShare's ephemeral .onion → our optional Tor online mode

Recommended Transport Stack

┌─────────────────────────────────────────────┐
│            Application Layer                 │
│  (message sync, feed replication, UI)        │
├─────────────────────────────────────────────┤
│         Transport Abstraction Layer          │
│  (unified API regardless of physical layer)  │
├──────────┬──────────┬──────────┬────────────┤
│   NFC    │   BLE    │  WiFi    │   Tor      │
│  (trust  │ (discovery│ Direct  │  (optional │
│   est.)  │  + sync) │ (bulk)  │   online)  │
└──────────┴──────────┴──────────┴────────────┘

Priority (offline-first):
  1. NFC → initial key exchange (tap to connect)
  2. BLE → discovery + lightweight message sync
  3. WiFi Direct → bulk data transfer when needed
  4. Tor → optional online relay (user must opt in)

For platform-specific API details and background scanning restrictions, see Location APIs & Security.

Updates (2025–2026)

Bluetooth 6.0: Channel Sounding Adds Relay-Attack-Resistant Ranging

Bluetooth Core 6.0 (released September 2024, devices shipping 2025) introduced Channel Sounding, a standardised sub-metre ranging mechanism using Phase-Based Ranging (PBR) and Round-Trip Timing (RTT). The RTT component is specifically designed to resist relay attacks: randomised transmission patterns (seeded by a DRBG) force attackers to process signals in real time, while an on-device attack-detector provides likelihood metrics to the application layer. Accuracy is ±20 cm in early implementations, effective range reaches ~150 m at max power.

Design impact: Channel Sounding provides a cryptographic complement to NFC for verifying physical proximity during BLE connection establishment — a stronger relay-attack mitigation than RSSI alone. The Pixel Watch 3 was among the first widely-reported devices to expose Channel Sounding capability (June 2025); broad Android handset support is still emerging.

Bluetooth 6.1: Randomised RPA Timing Closes MAC Rotation Correlation Window

Bluetooth 6.1 (released May 7, 2025) introduced one focused change: Randomised Resolvable Private Address (RPA) Updates. Previously, RPAs rotated on a fixed 15-minute timer, creating a predictable correlation window enabling long-term device tracking. 6.1 offloads RPA generation to the Bluetooth controller, randomising the rotation interval between 8–15 minutes (configurable 1 s–1 hr), eliminating the timing side-channel without waking the host CPU. No silicon vendors have announced 6.1-capable chips yet; realistically the first hardware will not ship before 2026. Our transport stack should design for 6.1 behaviour but not depend on it.

NFC Forum Release 15: Extended Operating Range

NFC Release 15 (announced June 2025, certification programme launched October 2025) extends the NFC operating volume from 0.5 cm to 2 cm. The tap-to-connect gesture remains highly relay-attack-resistant (2 cm is still essentially touch-range), but the change may affect UX assumptions around accidental activation in crowded spaces.

Apple Wi-Fi Aware Framework (iOS 26 / WWDC 2025)

⚠ Contradicts existing content: The existing page states "iOS does not expose Wi-Fi Aware APIs." Apple announced a first-party Wi-Fi Aware framework at WWDC 2025, shipping with iOS 26. The framework exposes the Wi-Fi Alliance NAN standard for peer-to-peer discovery and direct connections without an access point, using DeviceDiscoveryUI, AccessorySetupKit, and the Network framework. Connections operate simultaneously alongside the device's existing Wi-Fi network and are authenticated and encrypted at the Wi-Fi layer.

Cross-platform caveat: iOS 26 ↔ Android Wi-Fi Aware interoperability requires Wi-Fi Aware Specification v4.0 pairing support on the Android side. As of mid-2025, only the Samsung Galaxy S25 is confirmed compatible; Pixel 9 and Xiaomi 14 series are not. Wi-Fi Aware is a strong future transport candidate for iOS-to-iOS bulk data sync once install base reaches iPhone 12+ saturation, but BLE must remain the universal discovery layer in the near term.

Apple Network Framework Supersedes Multipeer Connectivity

Apple's developer support team now explicitly recommends migrating from Multipeer Connectivity to Network framework, citing unfixed bugs, no Swift concurrency support, poor throughput, lack of flow control, and mandatory P2P Wi-Fi activation. The replacement path uses NWBrowser + NWListener for Bonjour-based peer discovery and WebSocket/QUIC for transport, with TLS-PSK as the recommended security model for P2P environments without PKI infrastructure. Multipeer Connectivity should be treated as a temporary measure rather than a long-term API choice.

LocalSend v1.17.0: Security Fix and Interface Filtering

LocalSend v1.17.0 (February 2025) patched a path traversal vulnerability and added network interface filtering — relevant to multi-homed devices where isolating discovery to a specific interface (e.g., a BLE-tethered subnet) is desirable. A forthcoming WebRTC-based transport layer was flagged as in progress, which would allow direct P2P connections through NAT without a relay.

USENIX Security 2025: BLE Proximity Tracking Vulnerabilities

A 2025 USENIX Security paper reverse-engineered Apple Find My and Samsung Find My Mobile, uncovering seven new vulnerabilities — four assigned CVE/SVE identifiers, three rated high severity. The vulnerabilities involve identifier correlation across the advertisement and application layers, showing that MAC rotation alone is insufficient when higher-layer identifiers remain stable. This reinforces the existing guidance that advertisement content must use rotating, unlinkable identifiers throughout the stack, not just at the MAC layer.