Android 3.0 Gotchas

Post Reply
varghesesa
Posts: 90
Joined: Thu Jul 11, 2019 9:52 pm

Android 3.0 Gotchas

Post by varghesesa »

Introduction
This article is from BI support in order get known issues and fixes to the community as soon as possible.

We did a complete refresh of the Android app on Feb. 12, 2021, starting with version 3.0.14. We appreciate all feedback and are vigilant in incorporating the feedback and bug fixes into the product asap.

Never a bad idea to reset the phone and the app: delete data, cache, reinstall the app and see if functionality returns or issues goes away.



Known Issues

Override Do not Disturb for BI app notifications.
Some users prefer to have their Do Not Disturb (DnD) settings overridden by the BI app, i.e. if a BI alert happens late at night, users still want to be notified.

The Android settings that allow you to override DnD will only apply to the "default" notification sound. We cannot support it when using custom notification sounds, as each notification category can only have one custom sound, where our system allows multiple custom sounds. This is a limitation of Android.

Users that need to override DnD should use the default notification sound.


Setting up geofencing
We made more changes in order to make it easy for users to setup geofencing!
Easiest way is to Create a New Server -> Go through the App Wizard -> Following geofencing instructions. Delete your current server after new server is setup correctly.


Below is a list of settings that may or may not apply to your phone that could affect geo-fencing accuracy.
  • Make sure battery optimization is off.
  • WiFi must be turned on. It may seem weird, but the low power location management that Geofencing uses is actually primarily based off distances from WiFi signals.
  • Go to your device's Settings, navigate to your Location Settings. Make sure that your phone's Location is turned on and also in High Accuracy Mode.
  • Make sure that your device has given the app Location Permission (on Android 10 and higher, you will need to give location permission "All the time")
  • Newer devices put applications to sleep if they haven't been opened in a while. It is difficult to determine if your device has a setting for this or not. You will have to look through your phone settings to see. For example, the latest Samsung devices use the Smart Manager to put our app to sleep. To add our app to the unmonitored list on a Samsung, go to Settings -> Battery -> Unmonitored Apps -> then add Simple In/Out to the list.
  • The phone must have mobile data. Geofences will not work without an internet connection.
  • The phone must NOT be in Airplane Mode. Airplane Mode will disable both WIFI and Location.
  • Avoid using 'Power Saving Mode' while using Geofences. The Geofences will be a lot less consistent while Power Saving Mode is turned on (as it will automatically lower your location accuracy).
  • Avoid using 'Task Killer' apps on your phone. Task killer apps can potentially kill the background processes that monitor the Geofences. Any application that has the ability to kill, stop, or sleep our application may prevent Geofences from working.
User feedback regarding geo-fencing on Android devices:
  • Is there a problem with Samsung devices and the geofence function, because I have never got it to work well, this is my third Samsung phone.
    When I had a iphone 6 there was no problem with geofence.

    My Blueiris application has access to the location service all the time. The location (lat/lon) in BlueIris server setting is set up to where I live. When I check my location in a GPS tool on the phone it is within the range to be inside, but it still says I am outside. I have tried to reset the Geofence location in the app. Removed and added my device in Blueiris. Changed the Lat/Lon settings in the app.

    Also, If I set the profile to be inside anyway it keeps the profile but when I check the device status it says I am outside of the Geofence.

    Newer versions of Android have more aggressive battery saving measures. This can affect the frequency at which location updates are triggered. Try disabling any battery optimizations for the app. It's also important that the app's location permission is set to "allow all the time" and not "allow when app is open".

    Nothing more we can do on the app side. We react to the location and if the device reports a geolocation outside of the geofence, a transition is triggered. Expanding the radius may help.

    If geo-fence is not working for you, BI provides alternative solutions, albeit less convenient. For example, you could simply use the app as a remote control device. When you walk into the house or pull into the garage, you could manually switch the profile and vice versa when leaving.

    Other users use the shield icon, which mimics the arm/disarm feature that you see on home surveillance solutions like ADT.


Geofence Gotcha1: You allowed the BI app location services yet the App continues to state permission denied.
android gotchas_geo gotcha1.png
android gotchas_geo gotcha1.png (52.6 KiB) Viewed 8004 times
The user needs to figure out how to "allow all the time" with their particular Android device. An uninstall / reinstall should allow them to go through the initial steps again.


3.0.22: Notification settings not working. Sound alerts keep playing the default sound only
In Settings, Users can now adjust the sound, LED and vibrate notifications.
If you want to go back to default settings, simply select "Choose Default Notification Options".
notification settings.jpg
notification settings.jpg (31.91 KiB) Viewed 10527 times

Fix: The user needs to figure out how to "allow all the time" with their particular Android device. An uninstall / reinstall should allow them to go through the initial steps again.


Can I roll back to the previous version?
It may be possible to continue to run the old app which Google already approved, however we do not have this APK for distribution. We are very responsive to feedback and fix issues asap.


What happened to the cast icon?
Chromecast sends the video stream to a Cast-enabled device. It's still there, but Android seems to have tighter restrictions similar to SSL certificates as described above.

The Chromecast button will show up in the top bar for a video if:
  1. One of your two connections (LAN/WAN) is HTTPS.
  2. The video you're looking to cast has audio.
  3. The video you're looking to cast is not multi-cam.
  4. The video is a live stream.

In the Camera tab, when I view a group, I cannot select a camera in the group. To view the desired camera, I must scroll through the list and select it.
Longpress camera in group to open camera


SSL certificates / TLS

Are you using TLS or certificates?

Self signed certs are no longer allowed within Android, so users will need to get a properly signed certificate in order to leverage HTTPS connections.

You may want to reconsider whether encryption is needed for your cameras. Blue Iris DOES already encrypt login credentials. Your password and session are secure WITHOUT using HTTPS or Stunnel. The video itself is ENCODED only, so it may be POSSIBLE for a malicious ISP or government agency to spy on your video, but it's safe from general "hacking". You can turn off Stunnel on the Settings/Web server page in the PC and the issue will resolve.

If you really want full HTTPS security on the app, please consider using NGROK instead, it's just much more straightforward than dealing with Stunnel and certificates etc.

However, if you want to proceed with Stunnel, continue reading.

Others users have stated they are using a public key. However, Android decides which CA authorities are valid, not BI. There is nothing we can do from the app side to force Android to trust a user's CA. Either they do or they don't. In fact, we were removed from the Play Store for ignoring errors and forcing Android to accept that connection. More details here. https://developer.android.com/training/ ... onProblems

The Android team is using a PositiveSSL cert from Namecheap.com. Other CA Authorities include ZeroSSL or GoDaddy. The SSL and HTTPS section in Help also has information regarding using SSL with a domain in order to work with Android.

For the java exception, "CertPathValidatorException: Trust anchor for certification path not found.", per the docs, this is caused by:
  1. Using an unknown certificate authority and/or a self signed cert
  2. A missing intermediate certificate authority.
Missing Intermediate Certificates Authority
Google says the solution is "Configure the server to include the intermediate CA in the server chain. Most CAs provide documentation on how to do this for all common web servers."

User 1 example: namecheap.com (Sectigo)
From another user, who got his certificate from Sectigo (previously Comodo) through namecheap.com (as well). Some slight changes to the STunnel config as seen below (obfuscated):
[blue-iris]
accept = ##
connect = xxx.xxx.xxx.xxx:##
CAfile = certname.ca-bundle (had to add this line for the intermediary stuff I think)
cert = certname.pfx


User 2 example: pfSense CA
Simply created a new intermediate CA (on same pfSense install) signed by my original pfSense CA and then from that intermediate CA created a new Server Certificate for my BlueIris stunnel config.

I created a new .pem for the new cert and replaced the existing entry in my stunnel config, so I only needed to change the cert entry:

[blueiris]
accept = 8443
connect = 127.0.0.1:9443
cert = Iris10IntermediateCA.pem

The new Iris10IntermediateCA.pem is formatted just the same as the original:

Code: Select all

-----BEGIN CERTIFICATE-----
MIIERzCC…
…lW9xMlNg==
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvwIB…
…BGDO7i4ng==
-----END PRIVATE KEY-----
I also needed to trust (i.e. install) the new intermediate CA certificate onto my Android phone using the system settings UI flow. I’d have to do the same for every other Android phone/tablet we use with the BI app.


User 3 example: Let's encrypt service
I followed the instructions from letsencrypt which consists of:
  • Download and install the certbot client
  • On the BI machine run windows cmd : $ certbot certonly— standalone. It asks several inputs like domain name etc. Follow the process and this will generate 2 files privKey1.pem and fullchain1.pem
  • Declare the 2 generated files in stunnel config file :
    cert=/etc/letsencrypt/live/example.com/fullchain1.pem
    key=/etc/letsencrypt/live/example.com/privkey1.pem
  • Restart Stunnel and it works well.
Lets encrypt is free but the certificate will expire after 3 months.
Automatic renewal is also possible to setup. I didn't do it at this stage.

Another Let's encrypt user stated:

Thank you, I read the page (this article) and found out all I need is to put the certificate and private key in separate files instead of one pem file.


User 4 example: ZeroSSL service
  • Use ZeroSSL to generate a CA-signed certificate. Certificates with 3-month durations are free.
  • Download the certificate from ZeroSSL. This is a ZIP file containing the following files:

    Code: Select all

    ca_bundle.crt
    certificate.crt
    private.key
    
  • Rename private.key to key.pem and move it into the stunnel configuration folder (default location is C:\Program Files (x86)\stunnel\config).
  • It looks like Android requires the full certificate chain, including the root certificate, which is not provided by ZeroSSL by default. Their website's help section says the following: "If you need the full chain including the root certificate we recommend you use a tool like whatsmychaincert.com to download it". So, go to https://whatsmychaincert.com, enter your server's public IP address, and download the file containing the full chain.
  • Rename this file to cert.pem and move it into the stunnel config folder.
  • Edit the Blue Iris section of the stunnel config file to include both files as follows:

    Code: Select all

    cert = cert.pem
    key = key.pem
    
  • Restart stunnel and the Android app should connect successfully via HTTPS.
DDNS & STunnel Gotcha
Since I was using a DDNS to point to my host that I had to use the DDNS rather than the external IP. STUNNEL will only recognize the DDSN name and not the external IP.

User 5 example: No-IP DDNS + Let's Encrypt ssl
stunnel.pem file was composed of my key file and my crt file. It also needed the chain file appended to the end of it.
So my stunnel config uses stunnel.pem as the cert file.

Not working: mydomain-key.pem + mydomain-crt.pem concatenated into stunnel.pem
Working: mydomain-key.pem + mydomina-crt.pem + mydomain-chain.pem concatenated into stunnel.pem


Troubleshooting Certificates

If the above examples do not help resolve your certificate issue, this user was kind enough to document how he resolved the issue.
I went to https://www.geocerts.com/ssl-checker and put in my domain name www.cohovideofeed.com.
That site will tell you the problem.
I got the error:

A valid Root CA Certificate could not be located, the certificate will likely display browser warnings.

Had to add Root certificate and it had to be in the correct order.

Chaining certificates correctly

Some web servers need all SSL/TLS (root, intermediate and end-user) certificates in one file but CAs normally send you all their certificates separated, so you need to concatenate them manually. But pay attention while concatenating them because their order is important!
The correct order of a chained certificate is:

1. end-user certificate
2. all intermediate certificates
3. root certificate

I also had to add these lines:
sslVersionMax = TLSv1.2
sslVersion = TLSv1.2

Works great now
emerson1vier
Posts: 4
Joined: Sun Feb 23, 2020 6:40 pm

Re: Android Refresh/Update - 3.0.14+

Post by emerson1vier »

How can I see my app version on Android?
Last edited by emerson1vier on Fri Feb 26, 2021 10:41 pm, edited 1 time in total.
MikeBwca
Posts: 1115
Joined: Thu Jun 20, 2019 5:39 am

Re: Android Refresh/Update - 3.0.14+

Post by MikeBwca »

long press he BI icon. Select 'App info', or the '!' icon. Scroll to the bottom.

You can also go into Settings and tap 'App Info', then scroll to find 'Blue Iris'.
prd0000
Posts: 6
Joined: Mon Oct 19, 2020 10:13 am

Re: Android Refresh/Update - 3.0.14+

Post by prd0000 »

Hello,

I think I solved the problem with nginx proxy server. So I think I am going to share what you need to do if you want to follow my steps.
Nginx is available on Windows and Linux platform, though I don't use Windows for my web servers. It is a full blown, very small, and very fast web server. Fortunately, it also includes a fast and robust reverse-proxy server.

A few requirement before we begin:
  1. A valid domain, and a valid IP. If you have dynamic IP, you can use Cloudflare service to keep track whenever your connection changed IP. The instruction to link your dynamic IP to your domain can be found here
  2. A third party signed certificate. You can create certificate for free from Let's Encrypt if you don't have one
  3. nginx web server . You can install it on your blueiris server, or into another machine. Your choice. Just open this machine's IP through your router NAT for port 443.
Okay.. now let us begin.
  1. First, create your certificate chain. It is very easy in nginx. You don't need to care anything about bundle or anything. Just chain all of them in your server.pem file in the order:
    • YOUR CERTIFICATE
    • INTERMEDIATE CERTIFICATE
    • ROOT CERTIFICATE
    For Let's Encrypt, it should look like this.
    -----BEGIN CERTIFICATE-----
    Subject: CN = mycamera.yourdomain.tld
    Issuer: C = US, O = Let's Encrypt, CN = R3
    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----
    Subject: C = US, O = Let's Encrypt, CN = R3
    Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----
    Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
    Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
    -----END CERTIFICATE-----
    Except if you use Let's Encrypt, you don't need root certificate. Since ISRG is a known root CA, just put the intermediate one, and you good to go.
    I'll even make life easier for you.. Here is my certificate.

    Code: Select all

    -----BEGIN CERTIFICATE-----
    INSERT YOUR CERTIFICATE HERE
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
    TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
    cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
    WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
    RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
    AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
    R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
    sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
    NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
    Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
    /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
    AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
    Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
    FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
    AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
    Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
    gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
    PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
    ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
    CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
    lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
    avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
    yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
    yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
    hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
    HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
    MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
    nLRbwHOoq7hHwg==
    -----END CERTIFICATE-----
    Save those certificate into server.pem file.
  2. Now, we'll edit configuration file. Add these lines at the end of the config file

    Code: Select all

    server {
            listen  80;
            server_name     mycamera.yourdomain.tld;
            location / {
                   return 301 https://mycamera.yourdomain.tld;
            }
    }
    
    server {
            listen          443;
            server_name     mycamera.yourdomain.tld;
            ssl             on;
    #       ssl_protocols   TLSv1.2 TLSv1.3;
            ssl_certificate server.pem;
            ssl_certificate_key     server.key;
    #        access_log      cam-access.log;
            location / {
                    proxy_pass      http://[blue.iris.ip.here]:81;
                    proxy_buffers   16 4k;
                    proxy_buffer_size       2k;
            }
    }
    
    Make sure you put the correct path to your server.pem and server.key file. Also put the correct blueiris IP at proxy_pass parameter.
    The hash sign means that it is disabled. remove the hash to enable it.
    • ssl_protocols is optional, and I prefer to lock it to TLS 1.3 only, hence removing TLSv1.2 option. By default, nginx would response to SSL, TLS 1.1 to 1.3.
    • access_log is also optional, if you want to monitor your activity. But I suggest you disable it when you are done since it could generate significant IO traffic.
    Make sure you check the trailing semicolons. Otherwise nginx would complain.
    I configure it to redirect all http traffic to https by sending 301 permanent redirect.
Your server is now configured, and ready to rock.. Now, let's verify your configuration.
  1. Try open it using web browser.. You should see something like these:
    secured.jpg
    secured.jpg (25.53 KiB) Viewed 10478 times
    camera.jpg
    camera.jpg (70.8 KiB) Viewed 10478 times
    If you can open the blue iris login page, you are halfway there.

    Now, to check the chaining, go to SSL Checker to check your chaining. Enter your address, and press CHECK button. You should see something like this:
    Screenshot 2021-03-16 150945.jpg
    Screenshot 2021-03-16 150945.jpg (127.87 KiB) Viewed 10478 times
    The checker will show an error if your chaining is not correct. Just fix it by putting correct sequence at server.pem file.
When SSL Checker has no chain issues, your blue iris app should work properly now. Make sure you put your URL instead of IP Address in your app. Enjoy.
Last edited by prd0000 on Tue Mar 16, 2021 11:49 pm, edited 1 time in total.
ramaz16
Posts: 23
Joined: Sun Mar 14, 2021 4:46 pm

Re: Android Refresh/Update - 3.0.14+

Post by ramaz16 »

The OP suggests to use NGROCK, but it has no Android version. Pls explain in detail, how to use NGROCK installed on Windows PK with an Android smartphone for secure LAN/WAN connection to BI on that PK?

Do you offer beta testing option for the Android app? Google Play reviews of the app show too many deficiencies at this point. Beta testing can help to fix them much faster. This is a common practice for Android apps development.
prd0000
Posts: 6
Joined: Mon Oct 19, 2020 10:13 am

Re: Android Refresh/Update - 3.0.14+

Post by prd0000 »

ramaz16 wrote: Tue Mar 16, 2021 1:51 pm The OP suggests to use NGROCK, but it has no Android version. Pls explain in detail, how to use NGROCK installed on Windows PK with an Android smartphone for secure LAN/WAN connection to BI on that PK?

Do you offer beta testing option for the Android app? Google Play reviews of the app show too many deficiencies at this point. Beta testing can help to fix them much faster. This is a common practice for Android apps development.
Just use nginx. Install it on blueiris server, and be done. It is free.
ramaz16
Posts: 23
Joined: Sun Mar 14, 2021 4:46 pm

Re: Android Refresh/Update - 3.0.14+

Post by ramaz16 »

prd0000 wrote: Tue Mar 16, 2021 8:30 am A valid domain, and a valid IP.
Does one need a "valid domain", if they want to stream a cam from BI Android app on a smartphone to a PC on the same LAN with BI and Nginx web server installed? What would be a "valid IP" in this case? Or, is there a simple secure stream solution for that case? What overhead CPU load Nginx causes?

Is there a lighter secure alternative of the BI Android app? Some use IP Webcam app now, but it doesn't seem to support secure stream on its own.
prd0000
Posts: 6
Joined: Mon Oct 19, 2020 10:13 am

Re: Android Refresh/Update - 3.0.14+

Post by prd0000 »

Nginx
ramaz16 wrote: Mon Mar 22, 2021 10:13 pm Does one need a "valid domain", if they want to stream a cam from BI Android app on a smartphone to a PC on the same LAN with BI and Nginx web server installed? What would be a "valid IP" in this case? Or, is there a simple secure stream solution for that case? What overhead CPU load Nginx causes?

Is there a lighter secure alternative of the BI Android app? Some use IP Webcam app now, but it doesn't seem to support secure stream on its own.
Nginx has a very small footprint, and very fast. When you buy a hosting package from hosting provider, they use nginx to share one ip to hundreds of websites. It is used by about 400 million internet sites. And as far as it goes, even ngrok tunnel is heavier than nginx. In my setup, threadripper 2950X with 41 cameras, nginx vm cost me less than 2% cpu overall. And that figure includes 2 native applications (metabase with mongodb, and public website), along with 3 proxies (blueiris, zabbix monitoring, and SAP).

Valid domain is a must if you want to create third party signed certificate. For internal network, just use non https version. The limitation comes from android.
jasestu
Posts: 11
Joined: Tue Aug 18, 2020 6:54 am

Re: Android 3.0 Gotchas

Post by jasestu »

Oh, so the app has been updated recently - don't suppose anything changed that could have affected how it handles switching from sub to main streams when zooming in while watching a live camera feed?

https://blueirissoftware.com/forum/view ... f=4&t=3154
Post Reply