BLE device authorization

In my opinion, the best you can do is SRP. You can find an implementation in the occ lib in the nRF5 SDK. API in nRF5_SDK_14.1.0_1dda907\examples\ble_peripheral\ble_app_eddystone\occ\occ\OberonHAPCrypto\include\occ_srp.h

Another way is to put a secret key in the firmware (EG a 32byte key) and require this from the app before allowing any operation on the device. This is the approach used by Eddystone. Note that this is broken if a person can read the firmware hex file.

Another way would be to use some asymmetric scheme where the BLE device contains the public key, and the private key is used on the app side to produce some sort of proof to the BLE device. This can be reverse-engineered by scanning the source code/binary of the mobile app. If the same public key is used for all BLE devices the whole system is broken once a single private key is found.

If bonding is allowed, then you can set up white listing and permission of the characteristic to allow only bonded device to access. If no bonding is allowed, then you should follow what shibshab suggested.