Three Building Blocks, One Goal
Baby Monitor Timmy is built on three proven technologies: Flutter for the app, WebRTC for real-time communication, and Firebase for coordination. Together, they form an architecture that puts security, privacy, and reliability front and center. In this article, we explain how the individual pieces work together — clearly and without jargon.
WebRTC: Direct Connection, Encrypted by Default
WebRTC (Web Real-Time Communication) is the technology that transmits audio and video between the baby and parent devices. What makes it special: data flows directly between the two devices — peer-to-peer, with no detour through a server.
Every WebRTC connection is encrypted by default with DTLS-SRTP. This means: even if someone were to intercept the network traffic, they could not decrypt the audio and video data. This encryption is not an optional feature — it's built into the protocol and cannot be disabled.
No server listens in. No server stores anything. The connection belongs to you.
Signaling via Firebase Firestore
Before two devices can communicate directly, they need to find each other and coordinate the connection setup. This process is called signaling. Timmy uses Firebase Firestore — a cloud database by Google — for this purpose.
Only technical connection data is exchanged:
- SDP offers and answers: Describe the capabilities of the devices (supported codecs, resolutions, etc.).
- ICE candidates: Possible network paths through which the devices can reach each other.
No audio data, no video data, no personal information ever touches the Firebase servers. Firestore is simply the postman delivering the connection information — it never reads the letter itself.
TURN Servers: When the Direct Path Doesn't Work
In some networks (e.g., behind strict firewalls or with certain mobile carriers), a direct connection cannot be established. For these cases, TURN servers (Traversal Using Relays around NAT) come into play.
Timmy uses a local TURN server first and Cloudflare as fallback when the local relay is unavailable or overloaded. The selected TURN server relays the encrypted traffic — but cannot decrypt it. It only sees encrypted packets and has no way of knowing whether they contain audio, video, or other data. WebRTC's end-to-end encryption remains fully intact.
The credentials for the TURN server are generated via a Firebase Cloud Function and are only valid for 24 hours. This ensures that no permanent credentials are in circulation.
Nearby Connections: Devices Find Each Other Automatically
For the baby and parent devices to connect, they first need to "discover" each other. Timmy uses Nearby Connections — a technology by Google that automatically detects nearby devices via Bluetooth and WiFi.
Pairing works without manual code entry: the devices discover each other and exchange connection information automatically. As a fallback, there's a 4-character code that can be entered manually — in case automatic discovery isn't possible. The pairing code never leaves the device — only a cryptographic hash (SHA-256) is used as a document identifier in Firestore. See the security guide for details.
Anonymous Authentication
Timmy uses Firebase Anonymous Authentication. On first launch, each device receives a temporary, anonymous ID. No account is created, no email address is requested, no password is stored. This ID serves solely to enforce the Firestore security rules — only authenticated devices can read and write session data.
The Architecture: Who Sends, Who Receives
Timmy has two modes:
- Baby Mode (sender): The device captures audio via the microphone and sends it to the parent device via WebRTC. Optionally, the camera can be activated — video is then also transmitted directly.
- Parent Mode (receiver): The device receives audio and video, displays the camera stream, and offers a push-to-talk function to send short voice messages to the baby device.
For controls (push-to-talk, camera on/off), a DataChannel is used — another WebRTC channel that transmits small messages directly between devices, also encrypted.
Why Flutter?
Flutter is Google's framework for cross-platform app development. With a single codebase, an app can be built for both Android and iOS. Timmy starts on Android — the iOS version will follow in Phase 3. Thanks to Flutter, the code doesn't need to be written twice. This means fewer bugs, faster updates, and a consistent user experience across both platforms.
Summary
Every technical decision at Timmy was made with one goal: as little data as possible, as much security as necessary. WebRTC encrypts the communication, Firebase only coordinates the connection setup, TURN servers see only encrypted packets, and Nearby Connections make pairing simple and secure.
Technology shouldn't be complicated — it should just work while respecting your privacy. That's exactly what Timmy does.