I have kind of confusion about BLE secure connection.
I am working on an IoT project. I am using ESP32 development board. At one point of my project I have to send some data like Email and Password from android phone to ESP32 connected over BLE.
My question is it how to make it most secure? since i have to transfer user password over it. Is there any difference between paired connection vs unpaired connection? which encryption method I should use?
If you are sending sensitive data over BLE, then you have to consider multi-level encryption that includes hardware, software, and then the communication link (BLE). For BLE, the way to achieve encryption is through the pairing mechanism, i.e. you have to initiate pairing from the Android device before sending the data over.
Please have a look at the following StackOverflow questions that detail this:-
Finally, I would recommend sending such non-programming questions on other sites (e.g. InformationSecurity) as your question will have more traction there and you're more likely to find a suitable answer.
I hope this helps.
The best way to secure data transmission is to use end-to-end encryption. When you encrypt end-to-end you're no longer dependent on the underlying transport layer's security.
In this case since you control the code on both the Android phone and the ESP32, you can pre-share a key between them and encrypt the sensitive information before you pass it to Bluetooth.
It's still good to take advantage of whatever underlying security Bluetooth or other transports provides, but having your application encrypt the data will help improve your application's security over just depending on the transport layer.
