Security Notes

• Callback names passed to AndroidBiometric methods must match the pattern ^[a-zA-Z0-9._]+$. Arbitrary strings will be rejected.

• Nonces must be non-empty strings. Use a UUID or timestamp-based value to prevent replay issues.

• Key aliases in encryptWithBiometric/decryptWithBiometric are scoped to the Android Keystore - use a consistent, app-specific string (e.g. com.myapp.usertoken).

• iOS tokens are stored in the device Keychain with biometric access control and are cleared on logout().

• Bluetooth on Android requires runtime permissions (BLUETOOTH_CONNECT + BLUETOOTH_SCAN on API 31+, ACCESS_FINE_LOCATION on older). The bridge auto-requests them and emits mobiweb:btPermissionRequired if denied.

• Bluetooth on iOS requires NSBluetoothAlwaysUsageDescription in Info.plist. The system prompts the user on first BLE scan.

• Bluetooth Classic (SPP) and BLE are both used on Android; iOS uses BLE (CoreBluetooth) only.

• On iOS, connect() requires the BLE peripheral UUID from a prior scan - MAC addresses are not exposed by CoreBluetooth.