BluePass extracts 2FA tokens from SMS and forwards them via Bluetooth
About this app
Description
BluePass extracts two factor authentication codes (2FA) from SMS and sends them to a paired device via Bluetooth RFCOMM. A Qt based companion app bluepass-server will receive the 2FA codes and provide them via the system clipboard.
Use Case
The company I work for is relying on third party services that require to authenticate using 2FA. The second factor is an SMS to your mobile phone. This app was built for convenience, to avoid having to unlock your phone, find the message and then type the received code on the PC.
It is not about the time saved, it's about getting rid of robot tasks.
Setup
You have to configure parameters to match the sender of the SMS and parse the code from the messages sent to you. Currently, regular expressions are used for this task. However, a very basic setup will be provided below.
Regular expression for sender has to be set to a regular expression that matches all the senders of SMS (as they appear in your chat application). Multiple numbers and names can be provided:
• To match CompanyA, you might simply putCompanyA into the box
• To match CompanyA and 12345678, write (CompanyA|12345678)
Regular expression to filter the content has to be set to a regular expression that matches the messages you want to catch. Additionally, it has to define one group to extract the actual code that has to be sent to the PC.
• To match any number, you can use [^\d]*(\d+).*
• To match a code only with 6 digits, use: .*(\d{6}).*
... as the process of defining a proper regular expression is not that easy, there is another text box Test message. You can paste here the content of the SMS thatyou want to match and adjust the regular expression until it gets parsed correctly.
The last step of the configuration is to pair with the bluetooth adapter of your PC and configure the adapter to be used.
Operation
• Whenever your mobile phone receives an SMS (and the settings above are configured), this app will try to match the sender and content. If one of the two doesn't match, the message will not be processed any further.
• If the 2FA code could be extracted, a foreground service will be started (status bar) and the app tries to connect to the configured Bluetooth adapter and sends the code. It retries for some amount of time and reports the status in the status bar. Note: The notification in the status bar doesn't automatically disappear. However, this doesn't consume any resources and can be removed using the Stop button.
• If the code is required on the mobile phone, it can be copied using the Copy last button.
Protocol
The communication is based on very simple primitives using an RFCOMM channel. The UUID for the service is e4d56fb3-b86d-4572-9b0d-44d483eb1eee. Extracted codes are sent as text (over a secure Bluetooth connection) terminated with a new line character. Therefore, codes may not contain any new line characters.
Future
• The protocol will be changed to something more sophisticated and extensible
• Configuration of the sender should be done through contact providers and not use regular expressions
• Allow to use this app to share text / files with the PC
Licensed under MIT, by Manuel Huber.
What's New in v0.3.0
Imported from the F-Droid repository index.
- - Add a button to send the last code again to the companion app
- - Add a test button to allow to trigger sending a code to the companion app
- - Fix the format of the summary
Version history
Dec 2, 2021 · 14.6 MB · Android API 29–29 · code 5
Imported from the F-Droid repository index.
- - Add a button to send the last code again to the companion app
- - Add a test button to allow to trigger sending a code to the companion app
- - Fix the format of the summary
SHA-256 ed8e50fe4873f1bed1ccb5bd7368b4daadc4f455f6e2e61c3e962d6c3b37639e
Nov 2, 2021 · 14.6 MB · Android API 29–29 · code 4
Imported from the F-Droid repository index.
SHA-256 70b3e5bf6021469f0bcca1887e5d059480116e9470ee6b388b6009b4822a6860
Will it run on your device?
55%
- Targets newer Android builds, so legacy devices may be excluded.
- ABI coverage is focused on newer 64-bit devices.
Installation Guide
Open Settings on your Android device
Go to Security → Unknown sources (or Install unknown apps)
Enable "Allow from this source" for your browser or file manager
Open the downloaded APK file from your Downloads folder
Tap "Install" and wait for installation to complete
Launch the app from your home screen
Make sure to re-enable Unknown Sources restrictions after installation for security.
How to install this safely
How to verify the file you downloaded
Before you install anything, confirm the file is the one described here. On a computer, run shasum -a 256 your-download.apk (macOS or Linux) or certutil -hashfile your-download.apk SHA256 (Windows), then compare the output character-for-character with the SHA-256 on this page. If a single character differs, the file is not the build we recorded — delete it.
What the signing certificate proves
Every Android app is signed with a private key that only its developer holds. The fingerprint on this page is a hash of the matching public certificate, and it proves continuity rather than identity: it tells you a build came from whoever signed the earlier ones. Android enforces this at install time — if a package claiming to be org.booncode.bluepass4 is signed with a different key, the system will refuse to install it over your existing copy. A fingerprint that changes between releases is worth pausing on, because a repackaged app that has been modified by someone else cannot keep the original signature.
How to roll back to an earlier version
If the current release misbehaves, 0.2.1 is the last build before it. Android will not install an older version code over a newer one, so you must uninstall BluePass first — which clears its local data unless you have a backup. Reinstall the older APK only if its signing fingerprint matches the build you already trust, and check the API range: an older release may target an Android version your device has moved past.
Why we list sources instead of hosting everything
The official store channel is almost always the right choice: it updates automatically and carries the publisher's own distribution guarantees. A direct APK is useful when a device has no store access, when a rollout has not reached your region, or when you need a specific version — and only when the publisher has authorized that copy. APKBrowse does not list pirated, cracked, or unauthorized rebuilds of BluePass, and a listing is removed when the evidence for it stops holding up.
Get BluePass
Every source we list for org.booncode.bluepass4 is legality-reviewed. Pirated or cracked builds are never offered.
Other sources
F-Droid listing
officialF-Droid builds this app from source and signs it. This is its official listing, with older builds and full release notes.
Source code
verified publisherThe upstream repository this build is compiled from.
We check legality and signature continuity, but device behaviour still varies. Install at your own discretion.
App Information
Security Verification
We record provenance; we do not run malware scans. Verify the hash yourself before installing.
SHA-256 Hash
ed8e50fe4873f1bed1ccb5bd7368b4daadc4f455f6e2e61c3e962d6c3b37639e
Signing certificate
342660f021f25237e8568751fa9234dda52e54254d7f76c1f2bd1646a970af77
Permissions Required
Previous Versions
The signing certificate fingerprint for this release is on record, so a build that does not match it did not come from this publisher.
Report a problem with this listing
A listing is only as good as its corrections. If a source is broken, a signature looks wrong, or this app should not be here, tell the moderation team.