That seems like it would work, but it turns into a "open using crowbar found inside" problem: how do I know to use the same salt on a second density.io device unless I have already matched the MAC address.
The whole point is the customers in your store have nothing on there phones. Their device simply sucking down the MAC that is broadcast. They are going to get the unprotected MAC.