Implement the authentication procedure at application level?

There are many ways to do this, depending on

1. Which side is doing the authentication
2. The control you have of each device

I would probably design a feature using GATT authorization. The initiating side could send a read request to an authorized characteristic value on the peer side, letting the peer application retrieve the return value from RAM/flash or even user input before sending it back. The value could then be used as a challenge, and challenge-response could be written back to complete the handshake.

I'm interested in why you do not want to use the BLE authentication procedures though. Is it because of security implications, or does this have to fit into an already existing application? OOB authentication is often overlooked, and is more secure than just using a 6-digit MITM PIN.

There are many ways to do this, depending on

1. Which side is doing the authentication
2. The control you have of each device

I would probably design a feature using GATT authorization. The initiating side could send a read request to an authorized characteristic value on the peer side, letting the peer application retrieve the return value from RAM/flash or even user input before sending it back. The value could then be used as a challenge, and challenge-response could be written back to complete the handshake.

I'm interested in why you do not want to use the BLE authentication procedures though. Is it because of security implications, or does this have to fit into an already existing application? OOB authentication is often overlooked, and is more secure than just using a 6-digit MITM PIN.

I want to achieve authorization with my APP rather than the phone,and other APP can't get my data of device .

I define my own service and characteristics to achieve this ,app send request and I generate the one-time password on display.But i dont't konw how can i generate the one-time password,can you help me ?