How to provide authorization of app before connection?

No, BLE whitelist can only be used with BLE address.

If you want to use IMEI, please implement your own mechanism. For example device won't do any activity, until the phone write its own IMEI to the device. You can put a timing requirement, say after 5 seconds if no valid IMEI is written device will disconnect.

Hello Hung, I have few questions. With dfu secure project I can now upload securely to my nordic device but when the connection is established how can I stop man in the middle attacks? Is there any encryption technique provided by nordic to ensure that my mobile and nordic communicates securely? I have read the dynamic passkey code. In that random passkey is generated to stop mitm attack but with devices having io facilities only. I just have nordic app and nrf52 so should I try this in my firmare?

The passkey you mentioned is part of BLE bonding process. You can try to bond your device with the phone either in both your application and your bootloader (share bond information) or separately if you found sharing bond information is difficult.

If your device doesn't have screen or keyboard, you can think of using static passkey. It's a passkey you printed and only the owner of the device know it. It's less secure than normal random dynamic passkey.

Hello Hung, Once the link is established between app and nrf device even then mitm attacks are possible. Does the data transfers takes place as normal plain text or aes encryption technique is used to transfer the data?

Once bonded or paired, the link is encrypted with AES128 bit. The most vulnerable part is when the bonding process is performed and it's where MITM avoidance taken place (Phase 2). It could be passkey, numeric comparison or OOB.

You may want to read more about BLE security, for example from here.