2 simple questions that should have been asked in the design meetings:
Is there a way of proving that the request came from the app?
Is there any kind of way of encrypting messages between the app and the home?
Good grief - it's not rocket science! You don't even need to be technical to ask those things.