https://www.pentestpartners.com/security-blog/totally-pwning-the-tapplock-smart-lock/
Editing while reading...
First things first, the app communicates over HTTP. There is no transport encryption. This is unforgiveable in 2018.
Even if you revoke permissions, you have already given the other user all the information they need to authenticate with the lock, in perpetuity.
Yes. The only thing we need to unlock the lock is to know the BLE MAC address. The BLE MAC address that is broadcast by the lock.