App is connecting to random nrf52 devices

No, matching by MAC address works only if you have them static and you work in "few to few" scenario (few being <100 or rather <10). If you dream about large scale deployment (1,000 devices and more) where your devices should communicate over BLE GATT just between each other then you need to solve it on APP layer (on top of GATT):

• Define your own Service UUID which will be broadcasted.
• Even devices which don't fit (or don't allow you to put) custom 16-byte UUID into advertising data will work because any GAP Central/GATT Client device can discover it on the Server once connected.
• In "many to many" scenario BLE security doesn't work (because it doesn't scale) so you will need to add some security layer into your AP protocols on top of GATT (if you care about security). That will also be moment when your Server should kick-out the device which has connected, tries to use your Service but isn't authorized.
• Alternatively if you want to prevent people of mocking your UUID (which is easy attack) you could use Manufacturer Specific AD object in Advertising or Scan Response data (again only where you are allowed to access these and where you fit into) and design some authentication tokens which would already signal which devices are genuine. But as every such "DRM" scheme it's very hard to really implement it without security holes (it would probably be possible with on-line solution, very hard with complete off-line base).

Good luck!

(2/2)

In such solutions you need to solve this problem on APP layer and then you can use any well known designs (e.g. popular PKI based or with simply shared symmetric - AES or 3DES - keys).

(2/2)

In such solutions you need to solve this problem on APP layer and then you can use any well known designs (e.g. popular PKI based or with simply shared symmetric - AES or 3DES - keys).