You are reading a single comment by @Gordon and its replies.
Click here to read the full conversation.
Espruino is a JavaScript interpreter for low-power Microcontrollers. This site is both a support community for Espruino and a place to share what you are working on.
@Gordon
Do you absolutely need access to the UART on the device? If not I'd suggest turning it off completely for production (with
NRF.setServices). That would be the absolute safest option.You could then turn it on only if the button is pressed in a specific pattern?
But if those don't work then yes, the first option would be fine (I don't think the second is a good idea). It would be possible (with a massive amount of difficulty) to solder debug wires onto the device, reverse engineer it, and get the password out - but even I'd struggle with that, and I made it :) It's almost certainly easier to reverse engineer the app!
Another thing to note is that by default the transmissions over BLE are not encrypted, so could be spied on. To work around this, you could make your app request Bluetooth LE 'bonding' be performed (which starts encryption) and then only send the password after that has happened.
But again, it's very unlikely that would ever be a problem depending on your device. By enabling the password you're already substantially more secure than the majority of Bluetooth LE devices.