How can you manually decide which device can connect to my network?
hostapd, a deamon that manages access point in Android (supports Linux and FreeBSD) is controlled by the configuration file hostapd.conf located under /data/misc/wifi. At least in my device, the configuration file inter alia notes:
# Station MAC address -based authentication
# Please note that this kind of access control requires a driver that uses
# hostapd to take care of management frame processing and as such, this can be
# used with driver=hostap or driver=nl80211, but not with driver=madwifi.
# 0 = accept unless in deny list
# 1 = deny unless in accept list
# 2 = use external RADIUS server (accept/deny lists are searched first)
macaddr_acl=0
# Accept/deny lists are read from separate files (containing list of
# MAC addresses, one per line). Use absolute path name to make sure that the
# files can be read on SIGHUP configuration reloads.
accept_mac_file=/data/misc/wifi/hostapd.accept
deny_mac_file=/data/misc/wifi/hostapd.deny
The configuration defaults to
0 = accept unless in deny list
while you need
1 = deny unless in accept list
To do just that, change the value from 0 to 1 in macaddr_acl, mention the MAC address of the target(s) which should be allowed to authenticate with your hotspot in the file hostapd.accept, start or restart the hotspot and see the magic.
Example of hostapd.accept:
# List of MAC addresses that are allowed to authenticate (IEEE 802.11)
# with the AP. Optional VLAN ID can be assigned for clients based on the
# MAC address if dynamic VLANs (hostapd.conf dynamic_vlan option) are used.
60:XX:YY:ZZ:AA:BB
8c:BB:AA:ZZ:YY:XX
In above example file, only the machines with those MAC addresses are allowed to authenticate with my hotspot. Any machine with MAC address other than those two would repeatedly failed to authenticate.
Unfortunately, you may not be able to make any good use of this solution without root access.
Note: this solution is tested on an unofficial build of CM13.