Limiting Access via Bluetooth

I have a greenfield project that I am currently working on and I am trying to work out the best approach to limiting access/features via Bluetooth.

In the past we have used Just Works, anyone can connect and do anything they like. We had a way of setting some one time values by writing to a characteristic, storing in flash then limiting the characteristic to read only. Worked fine for what we needed.

On this project we're looking to move data on and off the device, "jobs" onto the device and "reports" off the device. Now that we're potentially transferring a lot (relatively speaking) of data to the device that will be stored in flash, I'm thinking about how we might limit access (to avoid misuse/additional wear levelling/etc). Here the data is deemed to be the customers, so we're not concerned with data access, but the more so protecting the device.

We have a mobile app that will be updated to support this new product, what methods can we use to limit access to the device to using our app? Would this be via OOB PSK? Is this the only method? The device would have to work with any number of mobile devices, as long as they are logged into our app.

If we wanted to restrict only certain services/characteristics, via a mixture of authentication (OOB PSK, or otherwise), can this be set up in a graceful way so that if someone wanting to access our device via other methods, could use the services that we deemed open/public and our app gets full access?

Ultimately I am looking at ways to transfer over the "jobs" and, not wanting to reinvent the wheel, I've been thinking about making use of one of the filesystems for storage and MCUmgr, with filesystem management, to do the heavylifting.

Related