Sorry, was a little misleading on my last comment. Didn’t mean to imply that IP Cam Viewer works with Wyze. Meant to imply that its a pity it does not since it is so much better than TinyCam bandwidth hogger…
While I do really like Blue Iris, the dev team/person rarely ever adds new features. The web UI looked 10 years old and when it finally did get updated it was only because some random guy did all the work for them (I do believe he was at least paid for his efforts when it became official). Wyze support has been asked about in the BI forums, and promptly ignored.
Side note, thank you for Actiontiles.
The TinyCam hack is better than nothing, but it surely is not an impressive app.
I’m inclined to speculate that the TinyCam access is more of a collaboration/arrangement with Wyze. If it were a hack, that would raise serious concerns about security of the stream if all one needs is the username/password. Also, what would that say about the access via Alexa? Is it really secure?
Maybe the lesson here is don’t point your Wyze Cams to anything the world is not supposed to see
“Impressive” is in the eye of the beholder.
The fact that the tinyCam App is the only 3rd party NVR software that is able to connect to Wyze Cloud is, to me, very, very impressive.
Wyze probably has an agreement with tinycam because I noticed that requests from tinycam are sent through api.wyzecam.com this probably means that wyze has whitelisted tinycam to access user video with right username / password configuration.
If TinyCam managed an agreement with Wyze as @andrew_nyr suggests, that does not make the TinyCam app impressive in the least. It just means they got lucky to partner with the greatness of Wyze, As to asking @WyzeGwendolyn about the Wyze TinyCam relationship, I would be happy to not speculate if a response was forthcoming sooner than later. Further, whats the chances Wyze would disclose that type of detail?
The bottom line is;
2. there is hope on the horizon with RTSP and
3. there are many apps waiting to take advantage of the RTSP support.
I agree with the statement that tinycam sucks. Especially that it can only run on android. That is a huge disadvantage. RTSP would allow me to use my surveillance server instead of tinycam for multi cam viewing.
Why the hate for TinyCam?
It works well. It works great with Android TV. It shows mixed streams. Wyze and my local (RTSP) camera.
Only working on Android doesn’t seem like a valid reason to say it sucks.
What am I missing by not using something else?
Only working on android prevents people from running it on a desktop environment without an emulator and the ability to have tinycam running on powerful hardware ie. a camera server.
TinyCam was an amazing app way before Wyze came along. Interesting that you place blame on a product that is just filling a void left by Wyze…
Thanks for tagging me in, @tgauch and @MMediaman! We actually don’t have a partnership with tinyCam so questions regarding their product (and how they made it work with Wyze) would be better answered by them.
@WyzeGwendolyn Oh wow. Did you guys give them access to your api and if not isn’t it a security risk that they are able to access the cameras?
TinyCam is a 3rd party app and we don’t have line of sight into their stuff. We’d recommend the same caution and investigation when using it that you would use with any 3rd party app that asks for outside credentials.
While I can’t speak for Wyze or tinyCam, I don’t believe it is a significant security risk unless:
A. tinyCam harvests your login ID and password (which is not necessary to perform the function it is performing),
B. or if it reads or writes changes to the settings on your Account without permission (e.g., such as turning your cameras on or off, or changing motion detection / alert settings).
When the Wyze Cam App uses your credentials to login to the Wyze Cloud, it has probably has access to request and change your configuration. All we know for certain it can discover your (and only your) cameras and feed pointers.
tinyCam takes the address of the feed and parses it based on their knowledge of the standard (but unusual) streaming protocol being used: P2P TUTK SDK (https://github.com/cnping/TUTK)
My personal Conclusions:
The method that tinyCam uses is unnecessary, since obviously Wyze Cam has an official stream access API that they have shared with partner vendor Amazon for use in the Echo Show.
The method that tinyCam uses is not risk-free. As mentioned above, since it uses your userID / email and password, it likely has both read and write access to your configuration settings, not just your streams. It is possible that these settings are protected by some sort of secondary authentication or encryption, but I don’t know enough about the concept nor this specific situation to believe this is the case. My personal assumption is that these settings do not have an extra layer of protections.
While we can probably trust tinyCam, and I also presume that your Wyze login credentials that you use in the tinyCam App are stored only on your phone and not sent to tinyCam’s cloud or through any other possibly vulnerable path, the method that tinyCam uses is certainly replicable by other vendors and, unfortunately, malicious actors.
My personal Recommendation:
Let’s not throw baby out with bathwater here, since tinyCam is a very useful tool for many people. Given tinyCam’s stature and the fact that they provide this type of viewing and transcoding feature for many, many camera brands (including Nest Cam, etc.), I think they are very likely trustworthy.
But this is an excellent case study that Wyze Cam customers should understand (so they can self-assess the risks), and for Wyze Labs engineers / product managers should understand (so they can determine the exact level of risk, the value of published paths for 3rd party streaming, and therefore the value of an officially sanctioned API and certified vendor program, and enforcement of the program …)
Does my gist make sense @WyzeGwendolyn?
Beggars can’t be choosers.
tinyCam took initiative and significant effort to provide something that no other vendor has done: i.e., integrate with Wyze Cam.
That deserves praise, not insults.
If you have other favorite NVR / matrix / transcoding software (e.g., Blue Iris), then let’s see if you can convince them to integrate with Wyze, either officially or unofficially. They could even buy or license the techniques discovered by tinyCam and everyone wins.
If you think Wyze should offer RTSP (or other standard streaming APIs / protocols) so that you don’t have to rely on the hacks of a single unsatisfactory App, then, obviously, you have to continue to pressure Wyze for this.
Thanks, @tgauch! This was clearly written and definitely makes sense. I can’t say one way or another on whether those risks are present or what their methods are but this about covers it.
well, tinycam also has access to wyze feeds and they are not partenered with wyze in any way.
How do you know they’re not partnered in any way?
I do agree that they’re probably not partnered though. From other messages that the tinycam author posted on reddit, it sounds like he reverse-engineered what goes on in the app.
On the home assistant thread, Wyze confirmed that the camera doesn’t actually serve RTSP for the Alexa integration. The camera ships the video to the cloud using RTMP, and they serve it as an RTSP stream from the cloud.
I asked if it would be acceptably cheap for them to have the camera serve video via RTMP instead of RTSP (as I believe that Blue Iris, Vlc, Kodi, and anything based on ffmpeg should be able to fetch an RTMP stream) but it sounds like that’s not going to be easy for them either.
Wyze does not have an official stream access API. They implemented Amazon’s API that allows a camera to integrate with Alexa, and Amazon has set that up to ensure that no one else can use it. Roughly speaking, Wyze calls in to a specific server at Amazon, and that connection allows Amazon to ask for a pointer to the video stream when Alexa needs it. That stream is generated by sending video to the Wyze cloud, which puts the stream into the format that Amazon wants.
Doing it this way (as opposed to what tinycam is doing) costs Wyze money because it involves processing the video in the cloud. They probably aren’t going to want anyone else using it. I believe this is also why they limit the time for which you can view on Alexa. (I don’t have a device to test, but Wyze docs say it’s limited to 10 minutes of viewing time.
Extend duration of livestream via Alexa to more than 10 minutes