The hidden-camera-detector category on the Play Store has a problem. The vast majority of top-ranked apps use exactly one of your phone's sensors - the magnetometer - and call it a detector. Some users pay $5 a week for what is essentially a free compass app with the icon recolored.
This piece breaks down the four classes of sensor that matter, what each one actually catches, and why a single-sensor app is theater rather than security.
The four detection methods that matter
1. WiFi network scanning (catches networked cameras)
A networked hidden camera connects to the local WiFi like any IoT device. Its MAC address is registered to the manufacturer (Hikvision, Dahua, Reolink, Wyze, Eufy, Foscam, Amcrest, Vivotek, etc.). It typically listens on streaming ports - RTSP on 554, HTTP on 80 or 8080, ONVIF on 8000.
A real WiFi scanner reads the local ARP table to enumerate every connected device, looks up each MAC's manufacturer in the IEEE OUI registry, and probes each device for camera-typical ports. A device fingerprinted as "Hikvision Digital Technology" with port 554 open is almost certainly an IP camera.
What this catches: Networked cameras on the host's WiFi, in homes and offices.
What it misses: Battery-powered cameras with no network. Cameras on hotel WiFi with client isolation enabled (you cannot see other clients). Analog cameras.
2. Nearby-networks scanning (catches setup-mode cameras and hotel-WiFi gaps)
Many cheap spy cameras broadcast their own WiFi network in setup mode. The SSID matches a brand pattern - IPCAM_xxxx, HCAM-xxxx, ESCAM_xxxx, HISEEU_xxxx, SRIHOME_xxxx, LOOKCAM_xxxx, V380_xxxx, MIPC_xxxx, and dozens more. A nearby-networks scan reads beacon broadcasts and matches them against this brand-pattern database. No WiFi connection required.
This is the method that actually works in hotels, Airbnbs, and any environment where you cannot or do not want to connect to the local WiFi. It is also the method that catches the rebadged Chinese spy cameras that dominate Amazon and AliExpress.
What this catches: Setup-mode camera hotspots, broadcast-only spy cams, location-independent.
What it misses: Cameras already paired to a network (setup SSID is hidden after pairing). Wired/offline cameras.
3. Bluetooth Low Energy scanning (catches trackers and BLE cameras)
The hidden-device threat is not just cameras. Bluetooth trackers - AirTags, Samsung SmartTags, Tile - are placed in cars, bags, and on people. Some hidden cameras also use BLE for setup or low-bandwidth telemetry. A continuous BLE scan catches both classes.
The technical signal is service UUID matching. Apple AirTag broadcasts service UUID 0xFD5A (and variants). Samsung SmartTag uses SmartThings Find UUIDs. Tile uses its own. Unknown trackers without a recognized service UUID still get flagged when the same identifier persists across multiple scan windows.
What this catches: AirTag / SmartTag / Tile / Chipolo / Pebblebee. BLE-broadcasting cameras.
What it misses: Cellular GPS trackers (rare in personal stalking).
4. EM field scanning (catches offline powered electronics)
Battery-powered or wired-but-not-networked cameras do not show up on WiFi or Bluetooth. They still draw current. Any powered electronic produces a small electromagnetic field. Your phone's magnetometer measures that field.
The magnetometer is the sensor that single-sensor apps use. The reason it is not enough alone: it picks up cameras, but it also picks up phone speakers, motors, metal in walls, fluorescent ballasts, and the iPhone in your hand. It is a useful corroborating signal among many. It is a poor primary signal.
What this catches: Powered electronics in places power should not be (inside a smoke detector that did not exist before).
What it misses: Anything where the EM signature blends into background noise, which is most of the time in a real building.
Why single-sensor apps fail
Search the Play Store. The top results promise "spy camera finder" or "hidden camera detector," then ask you to slowly wave the phone around the room while a meter ticks. That is the magnetometer reading the local magnetic field. It is one signal. It catches almost nothing on its own.
Worse: most of these apps charge $5-10 per week, which compounds to over $250 a year for a feature your phone can do for free with any open-source compass app. The Play Store reviews on the largest of these apps are full of one-star comments from users who paid, scanned, found nothing, and got pranked when a nephew put their phone next to a speaker and the meter spiked "ALERT."
HCAM-1234? Can it identify an AirTag? If the answer to all three is no, the app is a magnetometer with marketing.
What real multi-sensor detection looks like
A serious Android detector uses every sensor that produces useful signal, then corroborates findings across them. The same camera should plausibly show up on WiFi (manufacturer match), or on nearby networks (setup SSID), or on EM field (powered electronics). Two corroborating signals are far more reliable than one signal alone.
| Detection method | Magnetometer-only apps | Veilbreaker |
|---|---|---|
| WiFi scan + ARP + port probe | No | Yes |
| Manufacturer lookup (39K OUI database) | No | Yes |
| Nearby networks scan (setup-mode SSID detection) | No | Yes |
| Bluetooth tracker detection (AirTag / SmartTag / Tile) | No | Yes |
| BLE sound locator | No | Yes |
| EM field with baseline calibration | Raw reading only | Yes |
| Cross-tool corroboration analysis | No | Yes |
| 10-point physical inspection guide | No | Yes |
| PDF evidence report (police-ready) | No | Yes |
| Pricing | $5-10 / week | $6.99/month or $39.99/year |
Try every detection method in a single sweep
Veilbreaker runs all four sensor classes in a guided three-minute sweep. 3-day free trial.
Start 3-Day Free TrialWhat to look for when evaluating any detector app
- Does it scan WiFi or just claim to? A real WiFi scanner asks for ACCESS_FINE_LOCATION (Android requires it for WiFi scan) and CHANGE_NETWORK_STATE. An app that scans WiFi without asking for these permissions is faking it.
- Does it identify devices by manufacturer? Real WiFi scanners look up MAC addresses against the IEEE OUI database. If results are just "device 1, device 2, device 3," it is not actually identifying anything.
- Does it scan nearby networks (not just connected one)? The most useful scan in hotels and rentals is for setup-mode hotspots, which only beacon scanning catches.
- Does it recognize specific tracker brands? "BLE detector" without identifying AirTag / SmartTag / Tile by name is just a generic Bluetooth scanner.
- Pricing tells you the model. Apps charging $5-10/week with no annual plan are optimized for users who forget to cancel. Real-utility apps offer monthly and yearly with savings.
Frequently asked questions
Can a phone app actually find hidden cameras?
Yes, but only an app that uses multiple sensors. WiFi network scanning identifies networked cameras by manufacturer. Nearby-networks scanning catches cameras broadcasting their own setup-mode WiFi. Bluetooth scanning catches BLE trackers and BLE cameras. EM field scanning detects offline powered electronics. A magnetometer alone catches almost nothing.
Why do most apps just use the magnetometer?
It is the cheapest sensor to integrate, requires no permissions, and works on every phone. It also catches almost zero modern hidden cameras because most are battery-powered or wireless and produce too small an EM signature to distinguish from background noise.
What sensors should a real detector use?
WiFi radio (for ARP scanning, port probing, and SSID detection), Bluetooth radio (for BLE trackers), magnetometer (for EM field anomalies), and a guided physical inspection. Veilbreaker uses all four plus device-fingerprint analysis.
Are free detector apps any good?
Almost all free apps in this category are magnetometer-only. They show ads, ask for inflated permissions, and do not actually identify devices. The category economics push real-utility apps to subscription models because the WiFi/BLE/AI infrastructure has ongoing cost.
Can iOS do the same thing as Android?
No. iOS restricts ARP table access, WiFi network scanning APIs, and background BLE operations. Real network-based hidden camera detection requires Android's lower-level sensor access.