XMPP: Swiss Army Knife for Internet of Things (IoT)

May 31, 2016


Is XMPP the remedy for Internet of things?

IoT communication is complex and varied, and XMPP, the Extensible Messaging and Presence Protocol, is a great candidate for an application-layer protocol. Developers can use it in IoT for communication among devices and their corresponding servers and users in the cloud.

Historically, XMPP started as Jabber software for open, interoperable real-time communication between two users or a user and a server. In the early days the project was managed by Jabber Software Foundation (JSF) and was most often used as an open, decentralized application-layer protocol for instant messaging. Later, the core protocols used by Jabber software were standardized by the Internet Engineering Task Force (IETF) under their RFC 3920 and RFC 3921. IETF extended the original use of the XMPP when they changed the core protocols with many extensions called XMPP Extension Protocols (XEPs). Currently, there are more than 370 XEPs which makes XMPP a feature-full communication protocol that can be used for communication between machines in many different scenarios. Jabber Software Foundation was later renamed XMPP Software Foundation (XSF), and XSF is responsible for organizing XEPs as they have with the updated XMPP protocols RFC 6120 and RFC 6121 and RFC 7622.

The XEPs add functionality to the protocol and make it optimal for use in developing IoT. Let’s see how XMPP now helps IoT developers achieve their goals.


The IoT ecosystem is diverse, and XMPP is rich in terms of network connection and communication pattern choices. XMPP supports:

· Standard bi-directional socket connections

· Bidirectional streams over Synchronous HTTP (BOSH) (XEP-0124)

· Efficient XML Interchange (EXI) (XEP-0322). BOSH allows clients that can only access the Internet using the HTTP protocol (like JavaScript clients) to be able to connect to XMPP network and EXI, which is an extremely efficient way for compressing XML stanzas, which reduces message sizes to be suitable for the small, resource-constrained devices popular in IoT

XMPP also supports different communication patterns like Request/Response, Asynchronous Messaging, and Publish/Subscribe.


In IoT we often deal with resource constrained devices that are not operated by humans so need to be autonomous. XMPP provides extensions for “Provisioning” (XEP-0324) and “Discovery” (XEP-347), which enables IoT devices to delegate trust to more capable servers that are responsible for making decisions on behalf of a resource-constrained device. IoT Devices — small sensors for example — often have limited user interface options. Therefore, this delegation of trust helps us provision efficiently using a trusted third party with more power and options when it comes to user interface design, storage and power. An XMPP provisioning server will decide which devices can communicate with each other, which devices can read what kind of data from another device, and which devices may control another device and what they can do.


Scalability is crucial for IoT. As we develop the typical IoT environment it needs to be capable of handling an increasing and varying number of devices and users.

XMPP provides “Global Identities,” which helps identify an unlimited number of devices by their unique XMPP addresses. XMPP uses globally unique addresses, based on the Domain Name System, to route and deliver messages over the network. All XMPP entities are addressable on the network, most particularly clients and servers but also various additional services that can be accessed by clients and servers.

XMPP also provides a client-server system similar to email, wherein a client connects to a server in order to communicate with other clients. Similarly, servers can connect with peer servers to provide inter-domain communication, often called “Federation.” Federation assists our IoT systems that are built on top of XMPP to be scalable and capable of handling any increase in volume of requests by annexing more servers to the system.


As we develop IoT, we conceive a seamless, interoperable, cross-application communication environment. The interoperability requires openness of communication protocols and technologies. XMPP, which is defined as an open standard and uses an open systems approach of development and application, fulfills these requirements for interoperability. XMPP has a large number of server, client, and library implementations that are distributed as free and open-source software. Numerous freeware and commercial software implementations also exist for the developer.

XMPP also provides a set of extensions to promote interoperability between IoT devices. Readout of sensor data is accomplished as described in XEP-0323. If a device supports this extension, then it can be read from the corresponding XMPP provisioning server. Control of actuator parameters, on the other hand, is done as described in XEP-0325, and if a device supports this extension it can be controlled from the provisioning server.

XMPP also standardizes communication between modern and legacy systems with “XMPP Gateways” as explained in XEP-0100. Gateways are services on the XMPP network that translate between the XMPP protocol and the protocol used by other non-XMPP or legacy services.


The XMPP software consists of different components and modules that developers can activate during compile time depending on the specific scenarios. Additionally, we can require XEPs to implement on-top on demand. This modularity of XMPP makes it easier to make XMPP versions with a small memory footprint, which is suitable for resource-constrained devices. uXMPP project is one of the initial efforts for realizing XMPP for IoT devices with limited resources.


Last but definitely not least, XMPP provides a solid, flexible foundation for security features. XMPP facilitates identity management, authentication, authorization, Off-the-Record Messaging (OTR), and encryption — including end-to-end encryption. These are essential as we develop secure IoT products.

In addition to the flexible features, the security of the core XMPP protocol is essentially based on requiring use of the Transport Layer Security (TLS) and Simple Authentication and Security Layer (SASL). TLS provides confidentiality and integrity for data in transit. SASL provides an extensible framework for authenticating involved end parties and helps to protect against user spoofing, unauthorized usage, and man-in-the middle attacks. The XMPP protocol specification requires clients and servers to support TLS and SASL.

XMPP provides a lot of support for developers working with and creating the IoT ecosystem. If you are interested in developing an IoT application using XMPP, consider using SD Elements, which provides developers with security guidelines for developing IoT applications. SD Elements helps us make applications that are reinforced and difficult to hack.

Written by: Afshar Ganjali, Application Security Researcher, Security Compass

Share this Article on Linkedin



Previous Article
Taming the Appsec Monster
Taming the Appsec Monster

Taming the appsec MonsterMost organizations either have their own centra​​l security teams or rely on exter...

Next Article
Five Tips for Hiring and Developing Security Staff Using Security Certifications
Five Tips for Hiring and Developing Security Staff Using Security Certifications

Hiring security staff is no easy task. The demand for IT professionals with security expertise far exceeds ...

Equilibrium Conference | June 24, 2021. Virtually Meet DevSecOps Leaders & Professionals

Register Now