With iOS 13 and macOS Catalina, Apple removed the Find my iPhone and Find my Friends app and replaced it with a new “Find My” app. Apart from the new UI, the Find My app also comes with a key new functionality — it can track lost and stolen iPhones and Macs which are not even connected to the internet.
By broadcasting its signal over Bluetooth, nearby Apple devices could pick up the information and then send it to the cloud thereby helping the owner in finding their stolen Apple device. However, many security researchers are worried that the technology could be used to track users using Bluetooth beacons.
On stage, Apple mentioned that the entire process is “end-to-end encrypted and anonymous” meaning it did not pose any kind of security risk. In a phone call with the Wired, Apple has further detailed how this feature works and one catch with ‘Find My’ app.
For the new offline location tracking feature to work, Apple requires that you own at least two devices. This is required because your stolen Apple device will emit a constantly changing public key which would be used by nearby Apple devices to encrypt and upload your geolocation data. This data can only be decrypted by Apple devices linked to your Apple ID with two-factor authentication enabled.
This ensures that despite your stolen Apple device broadcasting your location publicly over Bluetooth, the location data is only read by the intended party. What’s even better is that Apple itself will no longer have the ability to know a user’s location due to the approach it has taken with the new Find My app.
Say someone steals your MacBook. Even if the thief carries it around closed and disconnected from the internet, your laptop will emit its rotating public key via Bluetooth. A nearby stranger’s iPhone, with no interaction from its owner, will pick up the signal, check its own location, and encrypt that location data using the public key it picked up from the laptop. The public key doesn’t contain any identifying information, and since it frequently rotates, the stranger’s iPhone can’t link the laptop to its prior locations either.
On paper, the implementation behind the new ‘Find My’ app definitely sounds impressive. In just one move, Apple has not only managed to improve the probability of finding lost iPhones and iPads that are never connected to the internet, but it has also ensured that it does not get access to the location data of these lost devices.