Like Nokia Thermo, which we tested in February, Nokia BPM+ is also a health care product. It’s blood pressure and pulse sensor measurements are transmitted via Bluetooth to the corresponding app and can be displayed on it. The app also shows in which range the blood pressure values are.

Blood pressure

Local communication

The Blood pressure monitor transfers it’s data to the app via Bluetooth. This is done using RFCOMM, a protocol that emulates a serial connection. The connection of both devices is invisible for other devices at all times and therefore protected against simple attacks.

Online communication via app

The app transfers the measured data TLS1.2 encrypted to Withings or Nokia servers, protecting the communication path against simple man-in-the-middle attacks. Unencrypted connections could not be observed.
If an attacker had the ability to install a certificate on the owner’s smartphone, a man-in-the-middle attack would be possible due to a lack of an adequate certificate pinning implementation.

Encrypted online communication

The Nokia Health Mate app itself is well obfuscated, making reverse engineering more difficult. The static analysis of the source code of the updated app revealed identical problems as in the Nokia Activité and Body Cardio tests.

Access data in appdata folder

The account password is MD5 hashed and stored in the app’s data folder, which is secure until the phone gets rooted. This hash is used along with the email address of the account to obtain an API key from the Nokia servers, which is then used to authenticate further communication. Like mentioned in our Nokia Thermo test, this is perfectly valid, but many rainbowtables exist for MD5 hashed passwords.

Privacy

Nokia provides a privacy policy for the Health App that is easy to understand. It describes in detail which data is recorded for which purpose. Data is only shared with third parties with the explicit consent of the user. Furthermore, the data is only stored on the user’s continent. (Europe – Ireland, North America – USA, South America – Brazil, Asia – Japan/Singapore, Australia)
Nokia has done a good job in terms of privacy, which should be given special attention, especially with eHealth products like this one.
The Android permissions contain some permissions that are not necessary for the pure use of Nokia BPM+. Apart from the location permission, which is required for Bluetooth communication, none of these were required or activated.

Android App permissions

Conclusion

Nokia’s BPM+ provides a privacy friendly, secure solution for blood pressure measurement. The Nokia Health Mate App and the Nokia BPM+ are therefore rated with three out of three stars.