Hi, I just started working on nRF52 with Bluetooth, and I have some concerns about DFU and security. I’m working on a product equipped with an nRF52 and a MEMS microphone. It will be controlled by a smartphone app (Bluetooth), and the application needs to be able to update the nRF52 firmware. I fear that it could be possible for someone else to load another program. For example, someone could create a false app to launch the product in update mode, then uses the MCP to upload is own program, and use the microphone to spy the user.
How to know if the application the nRF52 is communicating with is the right one? (From the nRF52 point of view)
If someone uses my app to launch the update mode, and then shut it down before the download, the nRF52 will still be advertising as a DFU target, and can be reprogrammed with the MCP right? How can I be sure the program I’m receiving is from the company? (Still from the nRF52 point of view)
As a solution, is it possible for the bootloader to check a specific area (memory address) in the program for a hidden key? (And how?)
PS : the data collected from the microphone by the nRF52 (searching for music pattern) are never transferred to the smartphone, the app is used for controlling the device (ON/OFF, mode, update, …).
