• State Verified Answer
  • Replies 4 replies
  • Subscribers 75 subscribers
  • Views 2320 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 214466
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

How do I prevent an iPhone from bonding?

Andrew Ong

Currently, in my application, any iPhone can attempt to read from one of my protected characteristics and initiate the bonding sequence. I have it set to "just works" mode (no PIN or out-of-band pairing) Where can I put an if statement that lets me restrict the bonding to only when a button is pressed? The context is that I have random private addresses turned on, and if any iPhone can bond, then there's no point in the random private addresses. 

Parents
  • +1

    Hi Andrew, 

    Have you considered using whitelist ? You can limit the connection of other phones to only the phones you have bonded with. 

    If whitelist is not an option ( you still want to allow connection from any phone) you can think of dynamically configure peermanager to enable and disable pairing. To disable pairing, you can simply call pm_sec_params_set() with NULL parameter to disable pairing and call it again with correct parameter to enable pairing/bonding. 

    If you don't use peermanager, then you have full control, just choose what to reply when you receive the BLE_GAP_EVT_SEC_PARAMS_REQUEST event 

Reply
  • +1

    Hi Andrew, 

    Have you considered using whitelist ? You can limit the connection of other phones to only the phones you have bonded with. 

    If whitelist is not an option ( you still want to allow connection from any phone) you can think of dynamically configure peermanager to enable and disable pairing. To disable pairing, you can simply call pm_sec_params_set() with NULL parameter to disable pairing and call it again with correct parameter to enable pairing/bonding. 

    If you don't use peermanager, then you have full control, just choose what to reply when you receive the BLE_GAP_EVT_SEC_PARAMS_REQUEST event 

Children
  • 0 in reply to Hung Bui

    A whitelist is an option, but it seems like overengineering because I would need a way to approve what goes on the whitelist. At that point, I'm at square 1. I just want devices to be able to bond when a button is pressed. 

    I DO use the peer manager. I tried using pm_sec_params_set(NULL) but that made my device timeout during interrogation. 

    Isn't it better to reinitialize the peer manager with  sec_param.bond = 0 or  sec_param.bond  = 1? EDIT: when I tried setting sec_param.bond = 0, I got a Fatal error: "Invalid parameter" 

        ble_gap_sec_params_t sec_param;
    ret_code_t           err_code;

    err_code = pm_init();
    APP_ERROR_CHECK(err_code);

    memset(&sec_param, 0, sizeof(ble_gap_sec_params_t));

    // Security parameters to be used for all security procedures.
    sec_param.bond           = SEC_PARAM_BOND;
    sec_param.mitm           = SEC_PARAM_MITM;
    sec_param.lesc           = SEC_PARAM_LESC;
    sec_param.keypress       = SEC_PARAM_KEYPRESS;
    sec_param.io_caps        = SEC_PARAM_IO_CAPABILITIES;
    sec_param.oob            = SEC_PARAM_OOB;
    sec_param.min_key_size   = SEC_PARAM_MIN_KEY_SIZE;
    sec_param.max_key_size   = SEC_PARAM_MAX_KEY_SIZE;
    sec_param.kdist_own.enc  = 1;
    sec_param.kdist_own.id   = 1;
    sec_param.kdist_peer.enc = 1;
    sec_param.kdist_peer.id  = 1;

    err_code = pm_sec_params_set(&sec_param);
    APP_ERROR_CHECK(err_code);

  • 0 in reply to Andrew Ong

    Hi Andrew, 

    I would need to know more about what you mentioned "my device timeout during interrogation", what exactly happened ? Which app did you use ? Could you try using nRFConnect ? Could you check if the nRF52 crashes at some points ? 

    The sec_param.bond  configuration only used to enable/disable bonding, not about pairing. This mean the phone can still pair (encrypt the link) but don't store bond information. The device still can read characteristic that require encryption.

  • 0 in reply to Hung Bui

    I did as you suggested in the form of this function and it seems to work well. 

    static void turn_bonding_on_off(bool on){
    if(on){
        ble_gap_sec_params_t sec_param;
        ret_code_t           err_code;

        memset(&sec_param, 0, sizeof(ble_gap_sec_params_t));

        // Security parameters to be used for all security procedures.
        sec_param.bond           = SEC_PARAM_BOND;
        sec_param.mitm           = SEC_PARAM_MITM;
        sec_param.lesc           = SEC_PARAM_LESC;
        sec_param.keypress       = SEC_PARAM_KEYPRESS;
        sec_param.io_caps        = SEC_PARAM_IO_CAPABILITIES;
        sec_param.oob            = SEC_PARAM_OOB;
        sec_param.min_key_size   = SEC_PARAM_MIN_KEY_SIZE;
        sec_param.max_key_size   = SEC_PARAM_MAX_KEY_SIZE;
        sec_param.kdist_own.enc  = 1;
        sec_param.kdist_own.id   = 1;
        sec_param.kdist_peer.enc = 1;
        sec_param.kdist_peer.id  = 1;

        err_code = pm_sec_params_set(&sec_param);
        APP_ERROR_CHECK(err_code);
    } else {
        /* Disallow bonding */
        pm_sec_params_set(NULL);
    }
}

Related
Terms of service