How to provide authorization of app before connection?

Hi Shailav,

1. You want to limit the phone to be the only phone that can authenticate the DFU action or also the only phone can connect and access the device ? If it's is the only phone that can access the device then you can think of using whitelist and bonding. Whitelist will limit the number of central that can connect to your device, in this case, the only user phone. Bonding and pairing require the central to have the key to encrypt the link. This key is exchanged using bonding process and stored on the phone.

So when the device has no bonded central it can advertise in open mode and when it's bonded it will use whitelist mode and only accept any operation when the link is encrypted, meaning the central has the key for bonding.

2. You can switch back to open mode when needed (by pressing a physical PAIR button on the device for example).

The private key that you randomly generate should not be exchange outside of your coperation, and should be kept secret. How could attacker get that key ? It's much easier to get the IMEI of the phone of the end user than the secret key that you keep in your company.

I'm no expert in security neither but a more complex mechanism better than a simple "password" could be:

A fixed universal key shared between the app and the firmware, the firmware can generate a random number to challenge and the app need to response with a number generated from that random number and the shared key. The device will validate the response number to check if the key is correct. You can use the serial number or a secret number unique to the device as part of the key. This has to be entered when the user first bond the device to the app. This is to avoid the attacker to get the app and run the app on his phone, he still won't be able to have the correct key. (It could be on the otherway around also, the app has its own unique key that it send to the device at the beginning)

There should be more complex and safer solutions, such as One Time Authorization, Public-Private Key scheme, but I would suggest you to do the research on your own as it's a little bit outside of what we can cover.

Hello Hung, I have few question.

1. The public and private key that I have is only for demo purpose. So if I want to go for production then how should I generate those keys?
2. Can I use 2 keys in firmware? One key will be common for our company and other key will be different for different users.

We want to send common updated firmware to all user so one key will be same and generated by our company. At the user end we want to add other key so that will be different for different users.

Now my concern is how to update key at run time without compiling it?

At present I need to manually add keys in dfu_public_keys.

Thanks

Hello Hung, I have few question.

1. The public and private key that I have is only for demo purpose. So if I want to go for production then how should I generate those keys?
2. Can I use 2 keys in firmware? One key will be common for our company and other key will be different for different users.

We want to send common updated firmware to all user so one key will be same and generated by our company. At the user end we want to add other key so that will be different for different users.

Now my concern is how to update key at run time without compiling it?

At present I need to manually add keys in dfu_public_keys.

Thanks