App is connecting to random nrf52 devices

No, matching by MAC address works only if you have them static and you work in "few to few" scenario (few being <100 or rather <10). If you dream about large scale deployment (1,000 devices and more) where your devices should communicate over BLE GATT just between each other then you need to solve it on APP layer (on top of GATT):

• Define your own Service UUID which will be broadcasted.
• Even devices which don't fit (or don't allow you to put) custom 16-byte UUID into advertising data will work because any GAP Central/GATT Client device can discover it on the Server once connected.
• In "many to many" scenario BLE security doesn't work (because it doesn't scale) so you will need to add some security layer into your AP protocols on top of GATT (if you care about security). That will also be moment when your Server should kick-out the device which has connected, tries to use your Service but isn't authorized.
• Alternatively if you want to prevent people of mocking your UUID (which is easy attack) you could use Manufacturer Specific AD object in Advertising or Scan Response data (again only where you are allowed to access these and where you fit into) and design some authentication tokens which would already signal which devices are genuine. But as every such "DRM" scheme it's very hard to really implement it without security holes (it would probably be possible with on-line solution, very hard with complete off-line base).

Good luck!

Thanks for your answer! Can you also say, how developers deal with problem "one to many". E.g. I take wireless headphones to library and other people also use such model. How my phone will know that I want connect to my headphones, not to others. I'm not creating Service UUID for every headphones, right? So, how manufacturers deal with it?

The example you mention isn't really applicable because phone is paired with the headphones. They know each other by MAC (it can even be pseudo-random aka anonymous but as they exchanged the keys before they will deanonymize them internally) and they have long term keys to protect the link once they reconnect. But this again fails in any solution which has "many" in the topology ("one to many" or "many to many") because Bluetooth links (not speaking about some "over the top" solutions such as mash networking) are always peer to peer which means that you would need to store and search in as many records as you have met "peers". Typical max of devices today are 8/16/32 peers, many "embedded" devices (such as car handsfree or BT headsets) are not ashamed to limit maximum number to 3 (and if you want to provision more then you need to delete one).

(2/2)

In such solutions you need to solve this problem on APP layer and then you can use any well known designs (e.g. popular PKI based or with simply shared symmetric - AES or 3DES - keys).

UUID is name of service and that doesn't identify device at all. Some people (mis)use it like this but that's not how BLE stack is designed (identifying device in BLE is always PHY MAC + on higher layers like GAP there can be "device name" but that's just human readable name to display but still shouldn't be used to any binding of devices, MAC is the key).