Smart Lock App
Platforms Guide

When you buy a smart lock, you are buying two things at once: the physical hardware on your door, and the software platform that manages everything behind it. The platform determines how credentials are created and shared, whether remote access is possible, how audit trails are stored, where your data lives, and what happens when the internet goes down. Two locks that look identical on a shelf can behave completely differently because they run on different platforms.

GCSL stocks hardware across four platforms: TTLock (the Sciener cloud platform, running McGrath, Lockton and Austyle hardware), Igloohome (algoPIN offline technology), Yale Home (ASSA ABLOY, the only GCSL platform with native Apple HomeKit), and Carbine Connect (Bluetooth-only, no cloud). A fifth platform — Tuya — is widely seen in generic smart locks but GCSL does not stock it; a brief honest assessment is included below. This chapter covers each platform's architecture, feature set, security profile, and data sovereignty so you can make an informed decision before committing to hardware.

TTLock Platform

Sciener Technology Co., Ltd. · Beijing, China · McGrath Locks app (AU) · TTLock app (global)

☁ Cloud + Bluetooth

Architecture

Lock communicates via Bluetooth to the phone (local) and via a G-series gateway to the Sciener cloud (remote). All six passcode types are stored on the lock itself — entry works without internet. Remote access, audit trails, and PMS integration require a gateway.

Passcode types (6)

Permanent (must be used within 24 hrs of generation, then valid indefinitely) · Time-Limited (hour-accurate window up to 1 year) · One-Time (valid 6 hrs, single use) · Erase (wipes ALL codes — never share) · Cyclic (daily/weekday/weekend/day-specific) · Customised (user-defined code with custom validity). Full detail in Chapter 14 — TTLock Platform Guide.

Other credentials

eKeys (4 types: Permanent, Timed, One-Time, Cyclic) · IC card / RFID (enrolled at lock or remotely via gateway) · Fingerprint · Bluetooth app (including Touch-to-Unlock)

Gateway options

G2 (2.4 GHz WiFi — most common; fails on band-steering routers) · G3 (Ethernet/PoE only — commercial) · G4 (2.4 GHz + 4G SIM fallback — remote properties) · G5 (dual-band 2.4+5 GHz — eliminates band-steering problem, recommended for new installs). Full comparison in Chapter 08 — Gateway Comparison.

Integrations & extras

Amazon Alexa · Google Home (gateway required for both) · Attendance Management (staff timesheets, holiday calendars) · PMS integration via Hospitable, Uplisting, RemoteLock, Hosthub, Cloudbeds, SabeeApp · Lock Groups (bulk management) · Freeze/Unfreeze codes

Best scale

3 to 500+ locks. One account manages dozens of properties. See McGrath brand profile in Chapter 10.

Resources

▶ McGrath Locks App Video ▶ TTLock App Video ? TTLock User Manual PDF → App Reference Manual → Chapter 14 — TTLock Deep Dive → TTLock for Airbnb in Australia → TTLock Tips & Tricks

The richest passcode scheduling of any platform in the GCSL range. TTLock is the correct choice for multi-property rental operators using a PMS, commercial installations requiring attendance management, and any deployment managing scale across many locks. The main trade-offs are cloud dependency for remote features and data residency in China. See the security section immediately below. PMS integration detail →

The 24-hour activation rule — the #1 cause of "my code doesn't work" calls

Permanent, Time-Limited and Cyclic passcodes must be used at least once within 24 hours of generation, or they auto-expire permanently and must be regenerated. This catches every new user and causes the majority of "code failure" support calls. Instruct all users, cleaners and guests to test their code the moment they receive it. The Erase code is equally dangerous: one use deletes all passcodes from the lock. Never share it. Full explanation of all passcode behaviour in Chapter 14.

In March 2024, CERT/CC published advisory VU#949046 documenting five unpatched vulnerabilities in the Sciener firmware that underpins TTLock, McGrath, Lockton and Austyle locks. Sciener was notified in November 2023 and had not responded publicly as of the advisory date. GCSL discloses these in full below.

All five CVEs require Bluetooth proximity — within approximately 10 metres

None of these vulnerabilities can be exploited remotely. An attacker must be physically present at your door with specialised equipment and technical capability. For the overwhelming majority of Australian residential and short-stay rental properties, this is a manageable and contextually low risk. It is a materially different threat profile to a remote network attack. That said, for high-security commercial installations, strata management offices, or any site where sophisticated physical threats are plausible, these disclosures should be weighed in the platform selection decision. We recommend raising this with us directly before specifying TTLock for sensitive commercial environments. See our platform selection guide →

TTLock data sovereignty — all event logs transit Sciener servers in China

Remote commands (remote unlock, code management, activity log retrieval) and event data are processed via Sciener's cloud infrastructure in Beijing, China. Local Bluetooth operations — entering a PIN at the keypad, swiping an IC card, or using Bluetooth app unlock — do not use the cloud. For most residential and short-stay rental users this is unlikely to be a material concern. For NDIS clients, body corporates, commercial property managers, or anyone with data sovereignty requirements, this is a factual consideration to weigh. No Australian-hosted TTLock option currently exists. TTLock vs Tuya data comparison →

Igloohome App

Igloohome Pte Ltd · Singapore · algoPIN offline technology · Airbnb Connect certified

✓ Airbnb Connect Certified

Key technology: algoPIN

The lock and app share a cryptographic key and time-based algorithm. When you generate a PIN in the app, the algorithm produces a code valid for the specified window. When the guest enters it at the door, the lock itself runs the same algorithm to validate it — no server, no gateway, no internet at the property required. This is fundamentally different to every cloud-validated system. See algoPIN explained in Chapter 07 and the operational deep-dive in our Igloohome Airbnb blog.

Airbnb Connect integration

Igloohome reads check-in/check-out times from Airbnb, generates a unique algoPIN for the stay, and sends it to the guest via Airbnb messaging — all automatically on booking confirmation, with no host action per booking. Code deactivates at checkout. Full workflow in Chapter 07 — Airbnb Connect.

Code types

algoPIN (time-limited, offline) · Permanent (no expiry) · Recurring (daily/weekly schedule) · One-time · RFID card/fob · Bluetooth app unlock. Note: algoPIN codes are typically longer than a standard 4-digit PIN — include this in guest check-in instructions.

Remote access (optional)

The Igloohome Bridge is an optional add-on that connects the lock to home WiFi, adding: real-time activity log retrieval, remote lock/unlock, push notifications, and event log access from anywhere. The Bridge is not required for algoPIN to function. Without it, event logs are stored locally on the lock and retrieved via Bluetooth proximity.

Security & data

No published CVEs. algoPIN validation occurs entirely on-lock — no server is involved in code validation, which eliminates that attack surface entirely. Event data (when Bridge is connected) resides on Igloohome's servers in Singapore.

Best for

1–5 Airbnb or VRBO properties · Properties with unreliable WiFi or NBN · Hosts wanting automated guest access without a PMS · Any situation where WiFi-drop guest lockouts are unacceptable. See the Igloohome recommendation in Chapter 07.

Resources

▶ Igloohome App Video ? Igloohome App Quick Start Guide → Using Igloohome for Airbnb → Chapter 07 — Airbnb & Short-Stay → Igloohome Retrofit Lock Case Study

GCSL's default recommendation for any Airbnb or short-stay rental application. algoPIN offline code validation means guests never get locked out due to a technology failure at the property — no internet, no problem. Airbnb Connect removes manual code management for standard bookings. The Bridge is the right add-on for hosts who also want a real-time activity log. Browse the full Igloohome range →

algoPIN's offline architecture eliminates the most common Airbnb lockout scenario

A connected lock that validates PINs on a remote server fails if the server is unreachable, the gateway loses power, or the property's NBN drops. algoPIN codes are validated on the lock's own processor using the same mathematical algorithm that generated the code in the app. The property's internet connection is irrelevant to guest entry. This is not a workaround — it is the fundamental architecture. Full explainer: Airbnb Smart Locks — Do You Really Need WiFi?

Yale Home App

Yale · ASSA ABLOY Group · USA / Sweden · Apple HomeKit native · Google Home · Alexa

Apple HomeKit Compatible

Architecture

Yale locks operate standalone — PIN keypad, fingerprint (select models) and Bluetooth app all work without any hub or internet connection. The Yale Connect Plus Hub 2 adds remote access, Apple HomeKit, Google Home, Alexa, DoorSense and Auto-Unlock. The Hub is an optional add-on, not required for local operation.

Access methods

PIN keypad · Fingerprint (select models) · RFID card/fob · Bluetooth app (Yale Home, Yale Access) · Mechanical key backup. Guest codes issued and managed via the Yale Home app. Activity log accessible with Hub 2 connected.

Hub 2 features

Apple HomeKit (native — unique in the GCSL range) · Google Home · Amazon Alexa · DoorSense (real-time door open/closed/ajar monitoring) · Auto-Unlock (geofence-based automatic entry) · Remote lock/unlock · Push notifications · Real-time activity log. See Chapter 08 — Yale Connect Plus Hub 2.

Home automation modules

Yale Unity series supports swappable Zigbee and Z-Wave modules for integration with home automation controllers (SmartThings, Home Assistant etc.). Module compatibility varies by Yale model — see Yale module interchangeability guide.

Security & data

No published CVEs found. Data resides on ASSA ABLOY cloud infrastructure (Sweden-headquartered group). Local operations (keypad, Bluetooth) do not require cloud connectivity. Battery life is the most common real-world complaint — see battery life detail in the Yale guide.

Best for

Apple ecosystem households wanting HomeKit lock integration · Users who want DoorSense (door state monitoring) · Home automation setups using Zigbee or Z-Wave · Properties where Auto-Unlock is a priority. Yale brand profile in Chapter 10 →

Resources

▶ Yale Home App Video ? Yale Home App User Guide PDF → Yale Smart Locks — An Honest Guide → Chapter 08 — Gateway Comparison → Yale Unity Slim Reset Guide

Yale Home is the right choice when Apple HomeKit integration is the priority — it is the only platform in the GCSL range with native HomeKit support via the Connect Plus Hub 2. DoorSense (knowing whether the door is physically open, closed, or ajar) is a genuine differentiator for home users. One important caveat: Yale's coastal warranty exclusion applies to most models, detailed below. Check this before installing on any property with direct salt-air exposure. Is Yale right for you? →

Coastal properties — read the Yale warranty terms before installing

Most Yale smart lock models exclude salt-air and coastal environments from their warranty. For Gold Coast and any beachside property exposed to direct salt air, this is a material consideration. The lock may perform adequately but warranty coverage for corrosion-related failures will typically not apply. Confirm the warranty terms for the specific model with us before purchase if your property is within direct coastal exposure range. Yale coastal installation guide →

Yale is the only GCSL platform with native Apple HomeKit support

If your household runs HomeKit automations — unlocking the front door when you arrive home, locking at a set time, integrating with lights or alarm systems via Apple Home — Yale via the Connect Plus Hub 2 is the only platform in our range that supports this natively. TTLock offers Alexa and Google Home; Igloohome and Carbine Connect do not have voice assistant integration. If HomeKit is a requirement, Yale is the answer.

Carbine Connect App

Davcor Pty Limited (Carbine brand, Australian distributor) · Bluetooth-only · No cloud · No gateway · SilentGrid-audited

? SilentGrid Security Audited

Architecture

Bluetooth Classic only. No WiFi. No cloud. No gateway. All credential management — adding codes, changing settings, retrieving the event log — requires the phone to be within approximately 10 metres of the lock. This is a fundamental architectural difference from every other platform in the GCSL range. It is a privacy feature as much as a limitation.

PIN access types (3)

Always Active — no schedule, valid until manually deleted · Time Period — active between two set dates, deactivates at the end date · Recurring — active on a weekly, weekday-only, or weekend-only schedule

Other access methods

RFID card/fob · Bluetooth Auto-Unlock (geofence, ~10m, requires Bluetooth + WiFi + GPS active on phone) · QR code user sharing (one QR per user, each QR for one recipient only) · Mechanical key backup

Security audit

The CEL2-BT leverset has been independently penetration-tested by SilentGrid (Australian cybersecurity firm). Result: low risk profile. AES-encrypted authentication handshakes. One-time-use encryption keys (eliminates replay attacks). Resistant to token sniffing, brute-force entry, magnet attacks and EMP disruption. No published CVEs. Audit applies to the leverset; confirm scope with Davcor for the deadbolt variant.

Code capacity & battery

CEL2-BT-SL8 leverset: 100 combined PIN + RFID codes ⚠ verify with Davcor before specifying · CEL2-BT-DB deadbolt: 200 PIN codes · Battery: AA alkaline only — no lithium, no rechargeable. Auto-Unlock mode (constant Bluetooth scan) reduces battery life significantly.

App settings

Vacation Mode (disables all codes except admin and app users) · Dual Credential (requires PIN + RFID simultaneously) · Auto-Lock timer (5–900 seconds) · Event Log (proximity access only) · Factory Reset. See Carbine Connect App Screen FAQ (Flipsnack) →

Resources

▶ Carbine Connect App Video ? App Screen FAQ (Flipsnack) → Carbine CEL&CDL Range Guide → Carbine Connect Platform Guide → Carbine brand profile — Chapter 10

Carbine Connect is the right platform when privacy, simplicity, and no-cloud operation are the priority. No access event data is transmitted to or stored on any third-party server — your entry history stays on the lock and your phone. The SilentGrid audit gives it a verified security baseline that few smart lock platforms at this price point can match. The hard limitation is proximity management: if you need to issue or revoke a code without being at the property, this is not the right platform.

SilentGrid audit — independent Australian cybersecurity verification

SilentGrid is an Australian cybersecurity consultancy. Their Bluetooth penetration test of the CEL2-BT leverset found: AES-encrypted authentication, one-time-use session keys (each unlock uses a fresh key — a captured key from one session cannot be replayed to open the lock again), resistance to token sniffing and brute-force entry, and no firmware extraction vulnerability. This is one of the few independent published security audits on any Australian smart lock platform. Few products at this price point have equivalent documentation.

What "proximity management only" means in practice

Adding a new PIN code, changing the auto-lock timer, retrieving the event log, or deleting a credential all require your phone to be within Bluetooth range of the lock (≈10m). For a home or small office where you are regularly on-site this is not a limitation — you manage the lock the same way you always have, just via the app rather than physically programming the keypad. It becomes a limitation if you need to issue or change access while away from the property. For that use case, TTLock or Igloohome are the better fit. See the platform selection guide →

Tuya Inc. (Hangzhou, China; NYSE and HKEX listed) is one of the world's largest IoT Platform-as-a-Service providers, powering over 100,000 product SKUs globally across tens of thousands of brands. Many generic smart locks sold on Amazon, eBay, and general hardware stores run on the Tuya platform under the Tuya Smart or Smart Life app. Some are also rebranded as OEM apps by individual manufacturers.

GCSL does not stock Tuya-platform smart locks for three practical reasons: (1) the Tuya Smart app is a generic IoT dashboard, not a dedicated access control platform — lock-specific features are buried in device-level panels that vary by manufacturer and are not standardised at the app level; (2) there is no Australian professional installer distribution network, warranty chain, or technical support for Tuya-platform locks; (3) all event and credential data transits Tuya's cloud servers (Singapore/US/Europe depending on account region), operated by a company headquartered in China, with no Australian-hosted option. Tuya does not have published CVEs for smart locks specifically, but the generic IoT security concerns (default password persistence, inconsistent firmware update paths across manufacturers) apply across the ecosystem.

If you have seen a Tuya lock or are comparing it with a TTLock product, the detailed platform comparison is in our blog: TTLock vs Tuya — Smart Lock Platforms Australia. For a doorbell/camera lock using Tuya technology, GCSL's position is: these products exist globally but are not yet available in Australia with the required electrical certification, local door dimension compatibility, and professional installer support for us to recommend them. We are watching this category and will stock when a suitable product arrives.

The table below maps common Australian installation scenarios to the platform that best fits. For complex situations — fire doors, DDA requirements, strata rules, coastal environments — the right platform depends on hardware compatibility as much as software preference.

Platform and hardware compatibility are not always interchangeable

The platform determines the software experience; the hardware determines what fits your door. A fire-rated lever on a Carbine Connect platform does not exist — the fire-rated Carbine models (CEL2-3IN1-SL8-FRKIT) are standalone, not Bluetooth-app-connected. Similarly, DDA-compliant levers are available on TTLock and Yale hardware only within the GCSL range. Always confirm door compatibility, bolt type, and compliance requirements before selecting a platform. Chapter 02 — Measuring Your Door and Chapter 04 — Door Types are the starting points.

The table below summarises the security and data residency profile of each platform. "Cloud needed for entry" means whether the internet must be live at the property for a guest or user to unlock the door — the answer is no for all four GCSL platforms, which is the minimum standard we consider acceptable for residential and short-stay use.

A note on data sovereignty for sensitive use cases

For most residential users and short-stay hosts, data residency in China (TTLock) or Singapore (Igloohome) is an accepted norm, comparable to other smart home platforms. For NDIS clients, body corporates, commercial property managers, government tenants, or anyone with data sovereignty requirements, the question of where access event data is stored and who can access it is a material procurement consideration. If this applies to your installation, raise it explicitly before committing to a platform. Carbine Connect's no-cloud architecture eliminates this concern entirely for those who can accept proximity management. Ask us before you commit →

Which Smart Lock Platform Is Right for You?

Decision-tree blog covering the four GCSL platforms with specific use-case scenarios. Start here if you're unsure.

Airbnb Smart Locks: Do You Really Need WiFi?

Igloohome vs TTLock decision framework for Australian short-stay hosts — the foundational platform comparison blog.

Using TTLock for Airbnb in Australia

How gateways, PMS platforms and passcode scheduling work in practice. The operational guide for TTLock Airbnb setups.

Using Igloohome for Airbnb in Australia

How algoPIN and Airbnb Connect actually work day-to-day — including what happens when the property internet drops.

TTLock vs Tuya — Smart Lock Platforms Australia

Why GCSL stocks TTLock and not Tuya — an honest platform-to-platform comparison including data sovereignty.

Carbine Connect Platform Guide

Full operational guide to Carbine Connect — setup, PIN types, auto-unlock, event log retrieval and the SilentGrid security audit explained.

Yale Smart Locks in Australia: An Honest Guide

What Yale does well, what to be aware of, battery life realities, and the coastal warranty question answered plainly.

Chapter 08 — Smart Lock Gateway Comparison

G2, G3, G4, G5, Yale Hub 2, Igloohome Bridge — which gateway suits which installation and why band-steering matters.

Not sure which platform suits your property?

Tell us your door type, use case, whether you need remote access, and whether Airbnb automation or HomeKit matters. We will match you to the right hardware and platform combination from day one.

Get a Recommendation (07) 5560 1867

Terry's Gold Coast Smart Locks Ready to shop? Browse our full range — same team, same expert advice.

Shop All Locks → Get Expert Advice (07) 5560 1867