I bought a security camera to watch my front door.

What I didn’t know is that the app on my phone would watch me back and share what it learns with TikTok’s parent company.

Here’s the full breakdown after tearing apart the Imou Life app (v10.0.6, com.mm.android.smartlifeiot).

Methodology: MITM proxy analysis via Burp Suite + APK decompilation + Frida dynamic analysis

1. The ID that never dies

Every request the app sends contains this:

"terminalId": "9d847dd94643efb2"

I captured over 90 network requests, before logging in, after logging in, browsing settings, viewing camera feeds. Same ID. Every single time.

This ID is generated from Settings.Secure.ANDROID_ID via ByteDance’s libttmverify.so native library. It:

  • Is identical before and after login, so anonymous browsing is linked to your account
  • Survives factory reset and app reinstall
  • Gets echoed back by the server in API responses, confirming it’s stored in their database
// From user.switches.GetFamilyMsgEnable response
"terminalId": "9d847dd94643efb2"

Real impact: If Imou’s database is ever breached, every API call ever made from your device is linked to you and your hardware, forever. Deleting your account does nothing because the device ID persists, and a new account on the same device immediately links back to the same physical hardware.

2. Your security camera talks to TikTok

The permanent ID is generated by software from ByteDance, TikTok’s parent company, also behind CapCut.

invoke-static {}, Lcom/hsview/client/HsviewClientEnvironment;->getClientUaTTid()Ljava/lang/String;
move-result-object v1
const-string v1, "ttid"

The SDK (libttmverify.so) is ByteDance’s TrustToken Mobile Verify SDK, the exact same SDK running inside TikTok, CapCut, and NewsRepublic. It generates a device fingerprint (ttid) from hardware identifiers and shares it across all ByteDance-powered apps on your device.

This means ByteDance can correlate your camera activity with your TikTok usage, your CapCut edits, anything you do on their platforms. Your home security camera and your social media feed are now in the same data graph.

3. Every tap, in 17 details

Every single API call transmits this x-pcs-client-ua header (base64-encoded):

{
  "terminalModel": "sdk_gphone64_arm64",
  "clientOV": "Android 16",
  "clientIP": "45.129.56.162",
  "country": "DK",
  "timezoneOffset": "3600",
  "language": "da_DK",
  "terminalBrand": "google",
  "darkMode": "light",
  "terminalId": "9d847dd94643efb2",
  "ttid": "e836df3f10034cf791381e1158a37675",
  "terminalName": "google sdk_gphone64_arm64",
  "clientType": "phone",
  "clientVersion": "V10.0.6",
  "clientProtocolVersion": "V9.7.2",
  "appid": "easy4ipbaseapp",
  "project": "Base"
}

Your phone model. Your OS version. Your precise IP address (city-level). Your timezone. Your language. Your country. Your manufacturer. Even whether you use dark mode.

This data goes to Imou’s main servers, to a secondary telemetry server, and to Facebook via the embedded Facebook SDK.

4. A second secret server logs everything

The app sends logs to logreport-v2-fk.easy4ipcloud.com, a completely separate server from the main API with weaker security headers. It:

  • Receives event reports up to 6.8KB every few seconds
  • Batch-sends accumulated logs with user behavior data
  • Was called 8+ times per session during testing
  • The main API server has no control over what this server collects

5. You can never log out

No logout endpoint exists. I searched the entire decompiled codebase across 26+ smali_classes* directories for logout, revoke, invalidate, signout, endsession. Zero matches.

The only authentication-related endpoint found was user.account.GetToken which is broken (always returns code: 12116).

Your session token never expires and can never be revoked. If someone steals it, through a compromised Wi-Fi network, a lost device, or a data breach, they have permanent access to your camera feeds, your device controls, your account settings.

And there’s no way to stop them.

Summary

  1. Permanent device ID (terminalId), cannot be reset — 🔴 Critical
  2. ByteDance cross-app tracker (ttid), shared with TikTok — 🔴 Critical
  3. 17 device attributes leaked per request — 🟠 High
  4. Separate telemetry server with weaker security — 🟠 High
  5. No session revocation, tokens last forever — 🔴 Critical
  6. Facebook SDK tracks app usage independently — 🟡 Medium

A home security camera should make you safer. But when the app itself is designed to permanently track you, share data with ad platforms, and make it impossible to revoke access, it becomes another threat to your privacy.

We assume the products we invite into our homes respect basic boundaries. Too often, they don’t.