Since RTSP isn't encrypted I was curious how secure the bluecherry implementation is. The spec appears to support DIGEST auth which at least stops credentials from being sent over the wire but BlueCherry uses BASIC auth which just sends a base64 encoded version of USERNAME:PASSWORD to the server.
This means that RTSP simply isn't safe to expose over an untrusted network.
I did get a solution working where I run stunnel on the bluecherry server and then use SSLDroid on my phone to tunnel the RTSP connection over SSL. That works but is a little more brittle as I have to make sure SSLDroid is running before TinyCam will connect.
If there is interest I'll post a HowTo on that.