Android 3.0 Gotchas

The mobile apps (iOS / Android) and the web interface (UI3) provides remote access to cameras for users.
Post Reply
varghesesa
Posts: 90
Joined: Thu Jul 11, 2019 9:52 pm

Android 3.0 Gotchas

Post by varghesesa »

Introduction
This article is from BI support in order get known issues and fixes to the community as soon as possible.

We did a complete refresh of the Android app on Feb. 12, 2021, starting with version 3.0.14. We appreciate all feedback and are vigilant in incorporating the feedback and bug fixes into the product asap.

Never a bad idea to reset the phone and the app: delete data, cache, reinstall the app and see if functionality returns or issues goes away.



Known Issues

Override Do not Disturb for BI app notifications.
Some users prefer to have their Do Not Disturb (DnD) settings overridden by the BI app, i.e. if a BI alert happens late at night, users still want to be notified.

The Android settings that allow you to override DnD will only apply to the "default" notification sound. We cannot support it when using custom notification sounds, as each notification category can only have one custom sound, where our system allows multiple custom sounds. This is a limitation of Android.

Users that need to override DnD should use the default notification sound.


Geofencing

Below is a list of settings that may or may not apply to your phone that could affect geo-fencing accuracy.
  • Make sure battery optimization is off.
  • WiFi must be turned on. It may seem weird, but the low power location management that Geofencing uses is actually primarily based off distances from WiFi signals.
  • Go to your device's Settings, navigate to your Location Settings. Make sure that your phone's Location is turned on and also in High Accuracy Mode.
  • Make sure that your device has given the app Location Permission (on Android 10 and higher, you will need to give location permission "All the time")
  • Newer devices put applications to sleep if they haven't been opened in a while. It is difficult to determine if your device has a setting for this or not. You will have to look through your phone settings to see. For example, the latest Samsung devices use the Smart Manager to put our app to sleep. To add our app to the unmonitored list on a Samsung, go to Settings -> Battery -> Unmonitored Apps -> then add Simple In/Out to the list.
  • The phone must have mobile data. Geofences will not work without an internet connection.
  • The phone must NOT be in Airplane Mode. Airplane Mode will disable both WIFI and Location.
  • Avoid using 'Power Saving Mode' while using Geofences. The Geofences will be a lot less consistent while Power Saving Mode is turned on (as it will automatically lower your location accuracy).
  • Avoid using 'Task Killer' apps on your phone. Task killer apps can potentially kill the background processes that monitor the Geofences. Any application that has the ability to kill, stop, or sleep our application may prevent Geofences from working.
User feedback regarding geo-fencing on Android devices:
  • Is there a problem with Samsung devices and the geofence function, because I have never got it to work well, this is my third Samsung phone.
    When I had a iphone 6 there was no problem with geofence.

    My Blueiris application has access to the location service all the time. The location (lat/lon) in BlueIris server setting is set up to where I live. When I check my location in a GPS tool on the phone it is within the range to be inside, but it still says I am outside. I have tried to reset the Geofence location in the app. Removed and added my device in Blueiris. Changed the Lat/Lon settings in the app.

    Also, If I set the profile to be inside anyway it keeps the profile but when I check the device status it says I am outside of the Geofence.

    Newer versions of Android have more aggressive battery saving measures. This can affect the frequency at which location updates are triggered. Try disabling any battery optimizations for the app. It's also important that the app's location permission is set to "allow all the time" and not "allow when app is open".

    Nothing more we can do on the app side. We react to the location and if the device reports a geolocation outside of the geofence, a transition is triggered. Expanding the radius may help.

    If geo-fence is not working for you, BI provides alternative solutions, albeit less convenient. For example, you could simply use the app as a remote control device. When you walk into the house or pull into the garage, you could manually switch the profile and vice versa when leaving.

    Other users use the shield icon, which mimics the arm/disarm feature that you see on home surveillance solutions like ADT.


Geofence Gotcha1: You allowed the BI app location services yet the App continues to state permission denied.
android gotchas_geo gotcha1.png
android gotchas_geo gotcha1.png (52.6 KiB) Viewed 18615 times
The user needs to figure out how to "allow all the time" with their particular Android device. An uninstall / reinstall should allow them to go through the initial steps again.


3.0.22: Notification settings not working. Sound alerts keep playing the default sound only
In Settings, Users can now adjust the sound, LED and vibrate notifications.
If you want to go back to default settings, simply select "Choose Default Notification Options".
notification settings.jpg
notification settings.jpg (31.91 KiB) Viewed 21138 times

Fix: The user needs to figure out how to "allow all the time" with their particular Android device. An uninstall / reinstall should allow them to go through the initial steps again.


Can I roll back to the previous version?
It may be possible to continue to run the old app which Google already approved, however we do not have this APK for distribution. We are very responsive to feedback and fix issues asap.


What happened to the cast icon?
Chromecast sends the video stream to a Cast-enabled device. It's still there, but Android seems to have tighter restrictions similar to SSL certificates as described below.

The Chromecast button will show up in the top bar for a video if:
  1. One of your two connections (LAN/WAN) is HTTPS.
  2. The video you're looking to cast has audio.
  3. The video you're looking to cast is not multi-cam.
  4. The video is a live stream.

In the Camera tab, when I view a group, I cannot select a camera in the group. To view the desired camera, I must scroll through the list and select it.
Longpress camera in group to open camera


SSL certificates / TLS

Are you using TLS or certificates?

Self signed certs are no longer allowed within Android, so users will need to get a properly signed certificate in order to leverage HTTPS connections.

You may want to reconsider whether encryption is needed for your cameras. Blue Iris DOES already encrypt login credentials. Your password and session are secure WITHOUT using HTTPS or Stunnel. The video itself is ENCODED only, so it may be POSSIBLE for a malicious ISP or government agency to spy on your video, but it's safe from general "hacking". You can turn off Stunnel on the Settings/Web server page in the PC and the issue will resolve.

If you really want full HTTPS security on the app, please consider using NGROK instead, it's just much more straightforward than dealing with Stunnel and certificates etc.

However, if you want to proceed with Stunnel, continue reading.

Others users have stated they are using a public key. However, Android decides which CA authorities are valid, not BI. There is nothing we can do from the app side to force Android to trust a user's CA. Either they do or they don't. In fact, we were removed from the Play Store for ignoring errors and forcing Android to accept that connection. More details here. https://developer.android.com/training/ ... onProblems

The Android team is using a PositiveSSL cert from Namecheap.com. Other CA Authorities include ZeroSSL or GoDaddy. The SSL and HTTPS section in Help also has information regarding using SSL with a domain in order to work with Android.

For the java exception, "CertPathValidatorException: Trust anchor for certification path not found.", per the docs, this is caused by:
  1. Using an unknown certificate authority and/or a self signed cert
  2. A missing intermediate certificate authority.
Missing Intermediate Certificates Authority
Google says the solution is "Configure the server to include the intermediate CA in the server chain. Most CAs provide documentation on how to do this for all common web servers."

User 1 example: namecheap.com (Sectigo)
From another user, who got his certificate from Sectigo (previously Comodo) through namecheap.com (as well). Some slight changes to the STunnel config as seen below (obfuscated):
[blue-iris]
accept = ##
connect = xxx.xxx.xxx.xxx:##
CAfile = certname.ca-bundle (had to add this line for the intermediary stuff I think)
cert = certname.pfx


User 2 example: pfSense CA
Simply created a new intermediate CA (on same pfSense install) signed by my original pfSense CA and then from that intermediate CA created a new Server Certificate for my BlueIris stunnel config.

I created a new .pem for the new cert and replaced the existing entry in my stunnel config, so I only needed to change the cert entry:

[blueiris]
accept = 8443
connect = 127.0.0.1:9443
cert = Iris10IntermediateCA.pem

The new Iris10IntermediateCA.pem is formatted just the same as the original:

Code: Select all

-----BEGIN CERTIFICATE-----
MIIERzCC…
…lW9xMlNg==
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvwIB…
…BGDO7i4ng==
-----END PRIVATE KEY-----
I also needed to trust (i.e. install) the new intermediate CA certificate onto my Android phone using the system settings UI flow. I’d have to do the same for every other Android phone/tablet we use with the BI app.


User 3 example: Let's encrypt service
I followed the instructions from letsencrypt which consists of:
  • Download and install the certbot client
  • On the BI machine run windows cmd : $ certbot certonly— standalone. It asks several inputs like domain name etc. Follow the process and this will generate 2 files privKey1.pem and fullchain1.pem
  • Declare the 2 generated files in stunnel config file :
    cert=/etc/letsencrypt/live/example.com/fullchain1.pem
    key=/etc/letsencrypt/live/example.com/privkey1.pem
  • Restart Stunnel and it works well.
Lets encrypt is free but the certificate will expire after 3 months.
Automatic renewal is also possible to setup. I didn't do it at this stage.

Another Let's encrypt user stated:

Thank you, I read the page (this article) and found out all I need is to put the certificate and private key in separate files instead of one pem file.


User 4 example: ZeroSSL service
  • Use ZeroSSL to generate a CA-signed certificate. Certificates with 3-month durations are free.
  • Download the certificate from ZeroSSL. This is a ZIP file containing the following files:

    Code: Select all

    ca_bundle.crt
    certificate.crt
    private.key
    
  • Rename private.key to key.pem and move it into the stunnel configuration folder (default location is C:\Program Files (x86)\stunnel\config).
  • It looks like Android requires the full certificate chain, including the root certificate, which is not provided by ZeroSSL by default. Their website's help section says the following: "If you need the full chain including the root certificate we recommend you use a tool like whatsmychaincert.com to download it". So, go to https://whatsmychaincert.com, enter your server's public IP address, and download the file containing the full chain.
  • Rename this file to cert.pem and move it into the stunnel config folder.
  • Edit the Blue Iris section of the stunnel config file to include both files as follows:

    Code: Select all

    cert = cert.pem
    key = key.pem
    
  • Restart stunnel and the Android app should connect successfully via HTTPS.
DDNS & STunnel Gotcha
Since I was using a DDNS to point to my host that I had to use the DDNS rather than the external IP. STUNNEL will only recognize the DDSN name and not the external IP.

User 5 example: No-IP DDNS + Let's Encrypt ssl
stunnel.pem file was composed of my key file and my crt file. It also needed the chain file appended to the end of it.
So my stunnel config uses stunnel.pem as the cert file.

Not working: mydomain-key.pem + mydomain-crt.pem concatenated into stunnel.pem
Working: mydomain-key.pem + mydomina-crt.pem + mydomain-chain.pem concatenated into stunnel.pem


Troubleshooting Certificates

If the above examples do not help resolve your certificate issue, this user was kind enough to document how he resolved the issue.
I went to https://www.geocerts.com/ssl-checker and put in my domain name www.cohovideofeed.com.
That site will tell you the problem.
I got the error:

A valid Root CA Certificate could not be located, the certificate will likely display browser warnings.

Had to add Root certificate and it had to be in the correct order.

Chaining certificates correctly

Some web servers need all SSL/TLS (root, intermediate and end-user) certificates in one file but CAs normally send you all their certificates separated, so you need to concatenate them manually. But pay attention while concatenating them because their order is important!
The correct order of a chained certificate is:

1. end-user certificate
2. all intermediate certificates
3. root certificate

I also had to add these lines:
sslVersionMax = TLSv1.2
sslVersion = TLSv1.2

Works great now
Post Reply