Hi @TheDoc,
When someone sets up the camera (or after a reset), a Rust crate is used to generate a secret and store it in a file on the camera. The same secret is encoded in a QR code that the user scans into the app. When the app tries to pair, it presents that secret, and both the app and camera use it as an external pre-shared key (PSK) in the MLS handshake. If the app’s secret doesn’t match what’s on the camera, pairing fails.
So it’s “out-of-band” because the QR code / secret path is separate from the network channel where MLS key exchange happens (over the camera’s temporary WiFi). An attacker on the network can’t fake that secret or see it (unless they’re physically present to intercept it or get it somehow). Because of that, we assume an attacker doesn’t have both the secret and the physical proximity needed at pairing time, and so MITM is not a viable attack in that threat model.
We have some more information about our security and pairing in SECURITY.md on our GitHub. It unfortunately won’t let me directly link it here.
Regarding other platforms apps, yes, we will definitely be implementing this at some point. We recently remade our entire app with Flutter, which supports cross-platform apps with one codebase. This was primarily done for iOS and Android support, but can easily be extended into Windows, Mac and Linux apps with minimal changes. An important feature that we want to implement before doing this is allowing for multiple devices to be paired with a singular camera. This is because most people will want to use computers as a secondary function. Afterwards, we plan to add support for these apps.
Please let me know if you have any other questions.