While I can’t speak for Wyze or tinyCam, I don’t believe it is a significant security risk unless:
A. tinyCam harvests your login ID and password (which is not necessary to perform the function it is performing),
B. or if it reads or writes changes to the settings on your Account without permission (e.g., such as turning your cameras on or off, or changing motion detection / alert settings).
When the Wyze Cam App uses your credentials to login to the Wyze Cloud, it has probably has access to request and change your configuration. All we know for certain it can discover your (and only your) cameras and feed pointers.
tinyCam takes the address of the feed and parses it based on their knowledge of the standard (but unusual) streaming protocol being used: P2P TUTK SDK (https://github.com/cnping/TUTK)
My personal Conclusions:
The method that tinyCam uses is unnecessary, since obviously Wyze Cam has an official stream access API that they have shared with partner vendor Amazon for use in the Echo Show.
The method that tinyCam uses is not risk-free. As mentioned above, since it uses your userID / email and password, it likely has both read and write access to your configuration settings, not just your streams. It is possible that these settings are protected by some sort of secondary authentication or encryption, but I don’t know enough about the concept nor this specific situation to believe this is the case. My personal assumption is that these settings do not have an extra layer of protections.
While we can probably trust tinyCam, and I also presume that your Wyze login credentials that you use in the tinyCam App are stored only on your phone and not sent to tinyCam’s cloud or through any other possibly vulnerable path, the method that tinyCam uses is certainly replicable by other vendors and, unfortunately, malicious actors.
My personal Recommendation:
Let’s not throw baby out with bathwater here, since tinyCam is a very useful tool for many people. Given tinyCam’s stature and the fact that they provide this type of viewing and transcoding feature for many, many camera brands (including Nest Cam, etc.), I think they are very likely trustworthy.
But this is an excellent case study that Wyze Cam customers should understand (so they can self-assess the risks), and for Wyze Labs engineers / product managers should understand (so they can determine the exact level of risk, the value of published paths for 3rd party streaming, and therefore the value of an officially sanctioned API and certified vendor program, and enforcement of the program …)
Does my gist make sense @WyzeGwendolyn?