How do I prevent an iPhone from bonding?

RE: How do I prevent an iPhone from bonding?

Andrew Ong — Wed, 03 Oct 2018 00:51:27 GMT

I did as you suggested in the form of this function and it seems to work well.

static void turn_bonding_on_off(bool on){
    if(on){
        ble_gap_sec_params_t sec_param;
        ret_code_t           err_code;

        memset(&sec_param, 0, sizeof(ble_gap_sec_params_t));

        // Security parameters to be used for all security procedures.
        sec_param.bond           = SEC_PARAM_BOND;
        sec_param.mitm           = SEC_PARAM_MITM;
        sec_param.lesc           = SEC_PARAM_LESC;
        sec_param.keypress       = SEC_PARAM_KEYPRESS;
        sec_param.io_caps        = SEC_PARAM_IO_CAPABILITIES;
        sec_param.oob            = SEC_PARAM_OOB;
        sec_param.min_key_size   = SEC_PARAM_MIN_KEY_SIZE;
        sec_param.max_key_size   = SEC_PARAM_MAX_KEY_SIZE;
        sec_param.kdist_own.enc  = 1;
        sec_param.kdist_own.id   = 1;
        sec_param.kdist_peer.enc = 1;
        sec_param.kdist_peer.id  = 1;

        err_code = pm_sec_params_set(&sec_param);
        APP_ERROR_CHECK(err_code);
    } else {
        /* Disallow bonding */
        pm_sec_params_set(NULL);
    }
}

RE: How do I prevent an iPhone from bonding?

Hung Bui — Mon, 01 Oct 2018 14:35:26 GMT

Hi Andrew,

I would need to know more about what you mentioned "my device timeout during interrogation", what exactly happened ? Which app did you use ? Could you try using nRFConnect ? Could you check if the nRF52 crashes at some points ?

The sec_param.bond configuration only used to enable/disable bonding, not about pairing. This mean the phone can still pair (encrypt the link) but don't store bond information. The device still can read characteristic that require encryption.

RE: How do I prevent an iPhone from bonding?

Andrew Ong — Sat, 29 Sep 2018 00:46:49 GMT

A whitelist is an option, but it seems like overengineering because I would need a way to approve what goes on the whitelist. At that point, I'm at square 1. I just want devices to be able to bond when a button is pressed.

I DO use the peer manager. I tried using pm_sec_params_set(NULL) but that made my device timeout during interrogation.

Isn't it better to reinitialize the peer manager with sec_param.bond = 0 or sec_param.bond = 1? EDIT: when I tried setting sec_param.bond = 0, I got a Fatal error: "Invalid parameter"

    ble_gap_sec_params_t sec_param;
    ret_code_t           err_code;

    err_code = pm_init();
    APP_ERROR_CHECK(err_code);

    memset(&sec_param, 0, sizeof(ble_gap_sec_params_t));

    // Security parameters to be used for all security procedures.
    sec_param.bond           = SEC_PARAM_BOND;
    sec_param.mitm           = SEC_PARAM_MITM;
    sec_param.lesc           = SEC_PARAM_LESC;
    sec_param.keypress       = SEC_PARAM_KEYPRESS;
    sec_param.io_caps        = SEC_PARAM_IO_CAPABILITIES;
    sec_param.oob            = SEC_PARAM_OOB;
    sec_param.min_key_size   = SEC_PARAM_MIN_KEY_SIZE;
    sec_param.max_key_size   = SEC_PARAM_MAX_KEY_SIZE;
    sec_param.kdist_own.enc  = 1;
    sec_param.kdist_own.id   = 1;
    sec_param.kdist_peer.enc = 1;
    sec_param.kdist_peer.id  = 1;

    err_code = pm_sec_params_set(&sec_param);
    APP_ERROR_CHECK(err_code);

RE: How do I prevent an iPhone from bonding?

Hung Bui — Wed, 26 Sep 2018 11:49:04 GMT

Hi Andrew,

Have you considered using whitelist ? You can limit the connection of other phones to only the phones you have bonded with.

If whitelist is not an option ( you still want to allow connection from any phone) you can think of dynamically configure peermanager to enable and disable pairing. To disable pairing, you can simply call pm_sec_params_set() with NULL parameter to disable pairing and call it again with correct parameter to enable pairing/bonding.

If you don't use peermanager, then you have full control, just choose what to reply when you receive the BLE_GAP_EVT_SEC_PARAMS_REQUEST event