Fore those not familiar with the Apple ecosystem, what does "Find My" do? locate apple devices ?
replies(7):
> Find My is an asset tracking service made by Apple Inc. that enables users to track the location of iOS, iPadOS, macOS, watchOS, visionOS, tvOS devices, AirPods, AirTags, and a number of supported third-party accessories through a connected iCloud account. Users can also show their primary device's geographic location to others, and can view the location of others who choose to share their location. Find My was released alongside iOS 13 on September 19, 2019, merging the functions of the former Find My iPhone (known on Mac computers as Find My Mac) and Find My Friends into a single app. On watchOS, Find My is separated into three different applications: Find Devices, Find People and Find Items.
So AirTags, MacBooks, and turned-off iPhones are findable via passing-by turned-on iPhones.
Maybe it's just me, but if I own an internet-connected device and I turn it off, I expect it to be off. That an iPhone's definition of "off" means "you can't use it but other random people's iPhones in the vicinity can still connect to and ping it" rubs me the wrong way.
Does it really need to be a giant application made from "Go, JavaScript, TypeScript and Python"?
What does all that code do? Wouldn't a single PHP file that acts as the connection between the two devices be enough?
I've tried PairDrop, it works well.
My question is similar to the wormhole one.
Does it really need to be 168 files of code to do this? I don't know WebRTC, but wouldn't a single PHP file be enough to create the connection between the two devices?
Does anyone knows if their approach is "sustainable", or if Apple can easily "block out" such hacks from their network?
I would like a tag that just records its own GPS coordinates locally on-device, every so often, and then when my dog comes home, I can check where she's been.
Does this exist?
I mean, they could concatenate all 168 files and stuff them into a single <script> tag in the PHP if that would make you happier…
I have used them before on various bikes and they work just fine. Battery life is about 25 hours, it is weather resistant, and then you can sync them after you record an activity. And at less than $30, if it gets lost, it isn't the worst thing in the world.
Everyone who shares location with me does so over Find My, and my family insists on using AirTags. As a 100% desktop Linux and mobile Android user, it is one of the few things that I always need to remote in to my Mac Mini to access because there are no x-platform FindMy apps and the FindMy iCloud web app does not have feature parity to the macOS and iOS apps. One of a long list of offenses where Apple refuses to make things easy for x-platform friend groups and families. Very annoying.
The engineering and thought that went into the whole thing to be useful but also privacy protecting is actually pretty impressive, and exactly the kind of thing we should be encouraging companies to do if we care about privacy. Especially since as you point out, you can still easily turn it off at any point if you want.
OpenHaystack has been doing this for a few years now and Apple has made no efforts to restrict it.
So what you're saying is that a decent firewall could still inspect the traffic, or the patterns thereof.
Also, this doesn't make any sense, as if Apple doesn't know which AirTag belongs to who, Find My would be very useless; and law enforcement would be furious.
(Obviously you can find friends who don’t care for it and you can live a normal life and be just fine. I’m privacy conscious but I still share my location with a handful of friends for the above reasons.)
Here is Apple’s docs on how they prevent themselves from inspecting traffic on Fmi: https://support.apple.com/guide/security/find-my-security-se...
A truly x-platform app is one that works well on all 5 of these platforms, e.g. Signal. A moderately x-platform app is one that works well on the two mobile operating systems and on web as an alternative to desktop, e.g. WhatsApp. A single-platform app, like Apple FindMy, only works properly on e.g. Mac + iPhone. Apple tends to be the only major industry player that produces these sorts of apps, e.g. iMessage, FaceTime, Final Cut Pro, Keynote. Although with Keynote you can often get by with the iCloud web version, which has a useful 80%-or-so of the desktop app's features. Even apps like Meet, Zoom, and Teams -- run by rival companies -- are more x-platform than major Apple apps.
You have quite a few granular choices.
> You can share your current location once, temporarily share your location while you're on the way to an expected destination, or share your ongoing Live Location... for an hour, until the end of the day, or indefinitely.
In Messages, you can use Check In to share your location... Your location is shared only if there's an unexpected delay during your trip or activity and you're unresponsive.
They must have a way to decrypt payloads or otherwise get into the system they built and control. The fact that they let law enforcement know when someone is stalking someone with an AirTag shows that the data is available to them. It’s silly to think otherwise, paper or not.
[0] https://github.com/dakhnod/FakeTag
[1] https://github.com/seemoo-lab/openhaystack
[2] https://hackaday.com/2022/05/30/check-your-mailbox-using-the...
(... yep, it looks like one of their example programs is about accessing AirTag info via API: https://github.com/malmeloo/FindMy.py/blob/main/examples/rea... ...)
Not technically correct. Apple devices (and Android phones with the appropriate app) detect if an unknown AirTag is moving with them and makes it home, possibly signalling a stalking attempt.
The heuristics for this happen locally; Apple isn't "aware" of this happening. That said, when you first set-up an AirTag, the serial is tied to your account. Therefore, when you physically find an unknown AirTag and report it to law enforcement, they can then subpoena (or get a warrant?) Apple for information on the AirTag owner's identity.
The serial itself, and any personal identifiers, are not used in the locating process, however.
This is well documented in the paper above, in articles, as well as in reverse engineering efforts.
Xtian Xmas xfer tx/rx xor...
For example, “When I come home, fetch the latest electricity prices and notify me if I should plug in my Tesla”.
I tried that using Shortcuts, but they won’t run location based without confirmation. (There are some workarounds, but they, too, don’t work reliably in my experience.)
Also checkout firewalla https://help.firewalla.com/hc/en-us/articles/360008214094-Ac...
Firewalla looks really thoughtfully designed! I’m glad to be aware of it.
What happened to this? We’ve even got the authentication part nailed down now thanks to OAuth! There is even API gateways that you can park in front of your stack that manage all the hard parts like granting client secrets to API consumers and showing registration screens to developers.
There is really nothing stopping you from opening up parts of your stack to developers and tinkerers so they can do cool shit. It even gets people to lock into your product that much more because now they’ve integrated some part of their workflow into your system in a way that might not be possible without your service!
So yeah. You already have these API’s exposed for your front end apps to use. Why not just slam a developer portal on top and let people access some of it? Who knows what cool things they’ll cook up!
Just to add to the different ways that that exact grouping of letters can be interpreted.
Maybe because I see an API as being able to be accessed from anywhere, so you could query it from a home automation device to trigger something when you are withing X meters of your house, which even if Apple truly released a cross-platform version of Find My that wouldn't be possible.
The tl;dr is: The information is publicly available in an encrypted form that is only readable by the party with the key.
Think of it like this, when you mark an item as lost you publish a hashed public identification key, if another device detects that key it creates a location report encrypted with your public key and posts it to a public list of encrypted reports, you decrypt the report with your private key.
The argument wasn’t made out of principle, either. If it were more widespread, it would be worth the potential confusion. It’s just not. I agree with that.
Is the implication of this that such people just don't interact with Android users? That seems like a significant self-imposed limitation. Or are Android phones just extremely unpopular in your area?
If you have any questions, feel free to ask :-)
Apple devices can query your AirTag's location because they sync its shared secrets through the iCloud keychain, which is used to generate temporary keys that can be use to download and decrypt the tag's location.
However, do note that AirTags put themselves into "nearby" mode when they're near an owner device, at which point they become untraceable to the FindMy network (the system where other iPhones are finding your AirTag and uploading its location). That also makes it invisible to this library. It is however still possible to detect it using the BLE signal it is broadcasting in nearby state, which is supported by the library but not yet by the HA integration.
It still has some rough edges, but I've been running it for a few months now for myself and some family members without any major issues :-)
The library also explicitly does not integrate with your Apple account, but only uses it to query encrypted location reports from Apple. This can be done with any account, even if it does not "own" the device, as long as you can generate the correct keys.
Official docs: https://docs.mikealmel.ooo/FindMy.py/
I realize that the docs are rather empty right now; it takes a lot of time to turn my thoughts into text, which I do not really have at the moment. Contributions are welcome, of course ;-)
I see. But can't Apple simply read this data from my iCloud keychain? Or is this kind of data sharing through iCloud keychain e2e encrypted?
Over the past year only of my accounts has been banned by Apple, and I was using that one to request locations every 5-10 minutes 24/7 in Home Assistant, with no other usage of the account other than one registered hackintosh. I'm currently using another account that is querying data every 15-30 minutes, which has been working fine so far. You just need an account to anonymously download location reports, so if your throwaway gets banned just create a new one and things should work again. Just make sure to attach it to a real device or hackintosh at least once to "activate" the account's iCloud API.
I do just want to make it clear that I have no intentions on keeping this working "at all costs" - at least not without other people willing to help me out. The library is currently not even trying to be stealthy, and it can be easily detected using heuristics if they really wanted to.
If you mean from another device other than one that your keychain is on, ie, a browser on a device you haven’t logged into before, you can’t.
You can get an active location through iCloud if the device is powered on or its last location before power off if the setting is enabled. But you can’t decrypt find my location reports without the private key, which is only available in devices you’ve logged into.
Is the syntax to run them just `swift <filename.swift>`?
Swift/ErrorType.swift:253: Fatal error: Error raised at top level: main.MyError.noPassword
It would be awesome.
I would suggest signing into a separate Apple account that's under your control to pair the AirTag, however. Not due to the risk of being banned, but because I have the suspicion that removing an AirTag from your (friend's) account may prompt the device to instruct the AirTag to reset. But if you sign into another account, pair it using an iDevice and then log out, that shouldn't be an issue.
I also suspect Find My is a Catalyst-ported iPadOS app, which tend to be awful/useless for scripting.
The only Apple "device" I have regular access to is a hackintosh, so this stuff is frustratingly hard to debug. So far I've been relying on efforts from the community, but the scripts appear to be somewhat flaky and don't always work for everyone unfortunately.
I wonder if someone could integrate this into a more coherent long-term platform.
https://notes.stavros.io/programming/third-party-airtags-res...
Google have also launched their own network, Find, which is turned off by default and useless for now.
I'm okay sharing my location with trusted people so that they can occasionally manually check where I currently am. I don't like the idea of them theoretically being able to automatically record my location and build a complete history of my movements over time.
On a separate thought, if Apple has not taken concerns such as the one you portrayed into account when designing Find My Friends then I would suggest not using the system altogether. At that point it's only a matter of time before someone figures out how to extract the data. But that's an entirely different story and a personal consideration you'll have to make.
Also to be able to find photos in specific locations (if you integrate it with geotagged photos like google does).
It’s one of those things I don’t actively care a ton about in the short term but is useful data to have in the long term if it can persist without a lot of effort.
Edit: I think form is “irrelevant” as long as it’s well supported and can be useable in different services later on. Same thing with notes imo (and why I use markdown). Has enough features but importantly is and will be well supported.
(I'm also the one who wrote the original code that was refactored a couple times until it became this project... https://github.com/JJTech0130/pypush/blob/async/examples/ope...)