How to reject bonding requests, and only allow pairing requests?

RE: How to reject bonding requests, and only allow pairing requests?

Hung Bui — Wed, 05 Apr 2023 13:36:11 GMT

I assume you say to reject pairing request ? Normally the peripheral doesn't send pairing request, it's the phone does that.
The rejection when peer trying to access an attribute that requires higher security is handled by the softdevice.
But what you can do is to set up the characteristic with authorization permission so that when it's read/write you will have a callback in the application.
See here: https://infocenter.nordicsemi.com/topic/com.nordic.infocenter.s132.api.v7.3.0/group___b_l_e___g_a_t_t_s___r_e_a_d___r_e_q___a_u_t_h___m_s_c.html?cp=5_7_3_1_2_4_3_13

RE: How to reject bonding requests, and only allow pairing requests?

jerome.sc — Wed, 05 Apr 2023 13:06:48 GMT

Do you know where in the code, if possible to not send the pairing request? So for example, if someone tries to write/read to the characteristic, in this case, disconnect/reject the request as they don't have proper authentication.

RE: How to reject bonding requests, and only allow pairing requests?

Hung Bui — Wed, 05 Apr 2023 12:52:28 GMT

Yes, correct. But of course if you try to read a characteristic that require authentication and get rejected it will send a Pairing Request instead of Encryption Request, showing that it doesn't have any key stored. Thiis is what I get when I connect again to a "bonded" device and try to read encrypt required characteristic:

RE: How to reject bonding requests, and only allow pairing requests?

jerome.sc — Wed, 05 Apr 2023 12:39:31 GMT

Yes, that trace looks similar to mine. Does your device (phone) still keep the bond information? As in going into your Bluetooth settings, does it say the device is bonded?

RE: How to reject bonding requests, and only allow pairing requests?

Hung Bui — Wed, 05 Apr 2023 12:36:43 GMT

Hi Jerome,
No I have verified the behavior with a sniffer. You can see the trace here:

The peripheral clearly say no bonding. And then after the connection is encrypted, no key distributing happen (no LTK). The phone should have forget the device after the connection is terminated as there is no LTK.

RE: How to reject bonding requests, and only allow pairing requests?

jerome.sc — Wed, 05 Apr 2023 12:29:32 GMT

Yes I thought it was weird as well that even though I'm doing just works pairing no bonding, the phone keeps the keys but the nRF doesn't. I've only used the nRF Connect phone app, so I'm not sure if it can only bond and not pair only. In addition, I based my application on the Heart Rate Example (ble_app_hrs).

Could it be that this example changed parameters in the application that's ignoring my peer manager sec_param settings, more specifically setting sec_param.bond = false?

RE: How to reject bonding requests, and only allow pairing requests?

Hung Bui — Wed, 05 Apr 2023 11:42:34 GMT

Hi Jerome,

You can find the peer pairing parameters in BLE_GAP_EVT_SEC_PARAMS_REQUEST event. See here.

You will either have to handle the pairing yourself and reject the pairing request in your code or you would need to modify the peer_manager to do that in sec_params_request_process().

But I'm not so sure that you have the ability to turn off bonding on the phone or not. As far as I know it's not possible for the app to request only pairing. But you may need to check with Android regarding that.

I agree that the phone is doing a little bit wrong to still "remember" the peer when they only do pairing and no LTK exchanged.