Apple

I've identified what seems to be a security/privacy issue with CoreBluetooth. Please let me know if I'm missing something, or if there's a good way around this.

Consider this scenario:

After user interaction, app A initiates a connection and (after a pairing dialog is presented) pairs/bonds with a peripheral per the Bluetooth core spec.
App A performs authorization defined by a higher-level specification, and is thus able to write/read sensitive data.
App B connects to the same (cached) CBPeripheral (no pairing dialog is presented), and is able to piggyback on the authorization that app A obtained. It is able to write/read sensitive data without the user's knowledge.

One way to protect against this would be to implement application-level encryption on all characteristics... But this would obviously not be ideal.

Ideally, CoreBluetooth could allow a pairing to be restricted to a single application. To maintain user control over this process, a dialog could be displayed to the user at pairing time (i.e. "Do you want to allow App A to create an exclusive pairing with PeripheralName?"). I haven't put a lot of thought into this solution -- there may be other problems with it, or more elegant ways to do this.

I'm hoping there's already a way to do this, or something similar that wouldn't require application-level encryption... But I haven't had any luck identifying a solution so far.

Pointers/thoughts?

Thanks,

John

References:
	>Cross-app security/privacy (From: John Smith <email@hidden>)