This looks great. If this Python implementation of the FindMy API actually works, it would be a major technology quality-of-life improvement for me. I hope Apple lets it stay alive.
Everyone who shares location with me does so over Find My, and my family insists on using AirTags. As a 100% desktop Linux and mobile Android user, it is one of the few things that I always need to remote in to my Mac Mini to access because there are no x-platform FindMy apps and the FindMy iCloud web app does not have feature parity to the macOS and iOS apps. One of a long list of offenses where Apple refuses to make things easy for x-platform friend groups and families. Very annoying.
Even within Apple's platforms, there's pretty limited support for automation -- you can say "Siri find my keys" but there's no App Intents / Shortcuts support for automating anything within Find My (AFAIK), which is a bit disappointing.
Find My has no any exposed Applescript commands. You'd next need to try (I think, been >a decade) Accessibility Inspector to find the names of the interface so you can tell Applescript what to click on. On some apps, even this doesn't work.
I also suspect Find My is a Catalyst-ported iPadOS app, which tend to be awful/useless for scripting.
Kind of? Right now it feels like it's glued on the side and a good proof of concept. It takes a lot more panning and zooming than it should. But it DOES work, one-way: you can see your friends' locations but they can't see yours.
Possible in the apple ecosystem. If the kids are part of a "familly", you can monitor / control using Parental Controls accessed from your iPhone > Settings > Screen Time.
It sounds like the gp’s objection might be that they’d like for their children to use iPhone and its parental controls, but they themselves would prefer to use other platforms to manage the supervision features. As far as I know, you do in fact have to be within the apple ecosystem to manage the ScreenTime features as you suggest.
Firewalla looks really thoughtfully designed! I’m glad to be aware of it.
I actually have Firewalla (it's great!). But it's only helpful when a kid's phone is connected to the network itself (which they can escape easily by disconnecting from wifi). The native stuff works on all networks.
Unless you are arguing that the feature should be removed from iOS and macOS devices, it is entirely a technical issue. Me preferring to use an Android device rather than an iPhone is not a parenting issue.
To the best of my knowledge, AirTag locations still cannot be obtained through the iCloud website. The locations it shows are simply generated by the devices themselves and uploaded directly to Apple. This library specifically only queries the FindMy network, which is the system that allows other iPhones (and iPads etc.) to "find" your devices.
The library also explicitly does not integrate with your Apple account, but only uses it to query encrypted location reports from Apple. This can be done with any account, even if it does not "own" the device, as long as you can generate the correct keys.
Hopefully locations shared by users not part of my iCloud Family account, and "Items" (Apple jargon term for AirTags). Currently it only shows macOS or iOS "Devices" directly linked to my iCloud account, or in my iCloud Family, none of the locations shared by friends. And it shows no "Items," not even those in my iCloud account.
Cross-platform. There are 3 major desktop operating systems (Windows, Linux, and Mac) and 2 major mobile operating systems (iPhone and Android). Every single OS has a huge marketshare worldwide (including Linux, if you count servers).
A truly x-platform app is one that works well on all 5 of these platforms, e.g. Signal. A moderately x-platform app is one that works well on the two mobile operating systems and on web as an alternative to desktop, e.g. WhatsApp. A single-platform app, like Apple FindMy, only works properly on e.g. Mac + iPhone. Apple tends to be the only major industry player that produces these sorts of apps, e.g. iMessage, FaceTime, Final Cut Pro, Keynote. Although with Keynote you can often get by with the iCloud web version, which has a useful 80%-or-so of the desktop app's features. Even apps like Meet, Zoom, and Teams -- run by rival companies -- are more x-platform than major Apple apps.
I think the GP knows what cross-platform means, but is confused by using "X" as shorthand for "cross". In my opinion, it's not widespread enough for the four-letter saving to be worth the confusion.
I didn't directly interpret it a cross-platform but more as (x) platform... Asin variable x which is not Apple... Which is semantically the same I guess but not entirely.
Just to add to the different ways that that exact grouping of letters can be interpreted.
Maybe because I see an API as being able to be accessed from anywhere, so you could query it from a home automation device to trigger something when you are withing X meters of your house, which even if Apple truly released a cross-platform version of Find My that wouldn't be possible.
Long before the richest man on earth bought Twitter to be his personal megaphone to help him prepare to become president in order to boost all his personal endeavors, the letter X has been used as a sort of contraction to replace common morphemes like "cross", "trans" etc, in places where the physical representation "x" likens to a cross or crossing of some sort, or in reference to the Greek letter Chi. Must we change our use of language to support this guy, too?
You pretty much listed all the examples where that’s done (x-ing is also a big one, on signs), but there are way more cases where no one would ever use the letter X like that. I think parsing that kind of “syntax sugar” takes more cycles than a lot of people care to spare just to understand what a stranger is saying online. It’s too loose to be commonly applicable. Things like “Xmas” are accepted on a case by case basis.
The argument wasn’t made out of principle, either. If it were more widespread, it would be worth the potential confusion. It’s just not. I agree with that.
Hey everyone! I'm the author of FindMy.py. I'd like to use this moment to give a shout-out to some other people that deserve way more credit than me, as the project definitely would not have existed without them. If this stuff interests you then please do check them out, there is a dedicated section in the project's README (https://github.com/malmeloo/FindMy.py?tab=readme-ov-file#cre...).
Congrats ! I don't have an iPhone or Mac. Can I buy an AirTag, initialize it with the help of a friend who has an iPhone, and then locate the AirTag or ring it from my PC with this Python lib?
I realize that the docs are rather empty right now; it takes a lot of time to turn my thoughts into text, which I do not really have at the moment. Contributions are welcome, of course ;-)
You used to be able to query this data locally from your MacBook, but Apple decided to encrypt it. It was fun to put an AirTag on your cat, then use GPS Visualizer to plot your cat's activities overnight.
While we're here, I have an ask (of anyone). I want the same exact thing you said, except for an outdoor dog on a large property.
I would like a tag that just records its own GPS coordinates locally on-device, every so often, and then when my dog comes home, I can check where she's been.
They are called GPS trackers or GPS loggers. You can find some that save coordinates to a microSD card and optionally send the location via cellular connection for about 10 dollars on AliExpress.
I have a TK913 GPS tracker for my ebike, which is configured to send location reports to my server running Traccar[1]. I'm very happy with the setup, it Just Works. I can check where my bike is at any point from the web UI from my phone. It supports A LOT[2] of these cellular-enabled GPS trackers.
I have used them before on various bikes and they work just fine. Battery life is about 25 hours, it is weather resistant, and then you can sync them after you record an activity. And at less than $30, if it gets lost, it isn't the worst thing in the world.
From a quick skim of the repository, it looks like this is only for accessories/devices that you own. I hope that this is the case, and that it doesn't work for the "Find My Friends" functionality.
I'm okay sharing my location with trusted people so that they can occasionally manually check where I currently am. I don't like the idea of them theoretically being able to automatically record my location and build a complete history of my movements over time.
You're right, locating friends is not currently supported. I would assume that this feature is implemented by simply sharing your device's (already recorded) latest location ping with your friends, in which case this is also currently out of scope for the project - the library only intends to interact with the "other-devices-find-my-device" network in order to be account-agnostic.
On a separate thought, if Apple has not taken concerns such as the one you portrayed into account when designing Find My Friends then I would suggest not using the system altogether. At that point it's only a matter of time before someone figures out how to extract the data. But that's an entirely different story and a personal consideration you'll have to make.
You should probably just assume that the recording is possible and not share your location with people you don't trust to not do that. Find my Friends isn't Snapchat—there's nothing in the pitch about ephemerality, so you shouldn't assume they engineered it in as a design constraint.
For the longest time I’ve wanted a way to record my location history in a durable way, without resorting to google maps history (which is great but has…obvious downsides), or some hacky short-term custom solution.
I wonder if someone could integrate this into a more coherent long-term platform.
I don't have an iPhone or Mac.
Can I buy an AirTag, initialize it with the help of a friend who has an iPhone, and then locate the AirTag or ring it from my PC with this Python lib?
I bought some $8 third-party AirTags from AliExpress, flashed them with some firmware, and used Macless Haystack to track them without owning any Apple devices.
Note that, locating airtags and making them play sound requires them to be near some other iDevice (the battery is a standard CR2032), so if you live in a remote ranch or something and nobody around you has an iphone, they might not be very useful.
It wouldn't even need to be a remote ranch—everything I'm seeing suggests they have a range of between 30-100 feet depending on walls and whatnot, which means even in a typical suburb you've got pretty high odds that none of your neighbors have a device within range at the moment you need it.
Theoretically yes, once the AirTag is deployed the keys should be static and you should be ready to go. Apple should also not be able to "ban" the tag at some later point in time.
I would suggest signing into a separate Apple account that's under your control to pair the AirTag, however. Not due to the risk of being banned, but because I have the suspicion that removing an AirTag from your (friend's) account may prompt the device to instruct the AirTag to reset. But if you sign into another account, pair it using an iDevice and then log out, that shouldn't be an issue.
I don't think AirTag work that way. AirTag protocol is specifically designed so Apple or other parties will not be able to track users by serial numbers.
Where there's a will, there's a way. Apple is very clear law enforcement can approach them with any AirTag and they will immediately be able to tie it to a user.
They do, Airtag hardware need to be signed to add to your iCloud account. But the actual location beacon messages are not linked to your iCloud account and can’t be associated with the sending airtag.
So far they don't really seem to care, however we've seen the lengths Apple is willing to go to when it comes to protecting their sweet revenue stream during their fight with Beeper. OpenHaystack has been functional for a long time, but they obtain locations from a running Mac, while this project directly accesses their API. This is also the most attention this project has received in a long time, so we'll see how that goes.
Over the past year only of my accounts has been banned by Apple, and I was using that one to request locations every 5-10 minutes 24/7 in Home Assistant, with no other usage of the account other than one registered hackintosh. I'm currently using another account that is querying data every 15-30 minutes, which has been working fine so far. You just need an account to anonymously download location reports, so if your throwaway gets banned just create a new one and things should work again. Just make sure to attach it to a real device or hackintosh at least once to "activate" the account's iCloud API.
I do just want to make it clear that I have no intentions on keeping this working "at all costs" - at least not without other people willing to help me out. The library is currently not even trying to be stealthy, and it can be easily detected using heuristics if they really wanted to.
Changing the underlying find my network to break this would be challenging if not impossible while keeping the privacy protections in place. Apple can’t identify devices sending data to find my, and doesn’t log requests. Short of changes that would break compatibility with older devices it should be relatively stable.
OpenHaystack has been doing this for a few years now and Apple has made no efforts to restrict it.
I’ve been using FakeTag[0] and OpenHaystack[1] coupled with a vibration sensor to notify me when various things happen around my house. Inspired by this [2] article. It’s worked flawlessly for ~2 years.
You're correct in saying that it would be challenging for them to overhaul the entire network, but this library directly makes API calls to Apple's servers to request location reports. So while the tags would likely keep working, they could totally block the library or your account if they really wanted to.
> Apple can’t identify devices sending data to find my, and doesn’t log requests.
So what you're saying is that a decent firewall could still inspect the traffic, or the patterns thereof.
Also, this doesn't make any sense, as if Apple doesn't know which AirTag belongs to who, Find My would be very useless; and law enforcement would be furious.
Airtags are associated with your apple ID for safety, but when you make a request for the location from Find My it doesn’t include any information about which airtag you’re asking about; just a CSPRNG-incremented public key that changes every 15 minutes. The location data itself is not available to Apple.
The short answer is that it doesn't. The iCloud website only shows devices that are actively uploading their location to Apple, such as iPhones and iPads. AirTags are not shown there, as they use the FindMy network instead (the whole other-devices-find-your-airtags mechanism). This library focuses on the latter.
Apple devices can query your AirTag's location because they sync its shared secrets through the iCloud keychain, which is used to generate temporary keys that can be use to download and decrypt the tag's location.
It’s explained pretty well in link provided in comment your replying to.
The tl;dr is: The information is publicly available in an encrypted form that is only readable by the party with the key.
Think of it like this, when you mark an item as lost you publish a hashed public identification key, if another device detects that key it creates a location report encrypted with your public key and posts it to a public list of encrypted reports, you decrypt the report with your private key.
If you mean from another device other than one that your keychain is on, ie, a browser on a device you haven’t logged into before, you can’t.
You can get an active location through iCloud if the device is powered on or its last location before power off if the setting is enabled. But you can’t decrypt find my location reports without the private key, which is only available in devices you’ve logged into.
So Apple has no way to see anything even when developing the platform itself?
They must have a way to decrypt payloads or otherwise get into the system they built and control. The fact that they let law enforcement know when someone is stalking someone with an AirTag shows that the data is available to them. It’s silly to think otherwise, paper or not.
> The fact that they let law enforcement know when someone is stalking someone with an AirTag shows that the data is available to them.
Not technically correct. Apple devices (and Android phones with the appropriate app) detect if an unknown AirTag is moving with them and makes it home, possibly signalling a stalking attempt.
The heuristics for this happen locally; Apple isn't "aware" of this happening. That said, when you first set-up an AirTag, the serial is tied to your account. Therefore, when you physically find an unknown AirTag and report it to law enforcement, they can then subpoena (or get a warrant?) Apple for information on the AirTag owner's identity.
The serial itself, and any personal identifiers, are not used in the locating process, however.
This is well documented in the paper above, in articles, as well as in reverse engineering efforts.
From Apple’s perspective, if someone uses the FindMy APIs to provide a commercial service that diminishes the privacy offered by Apple’s official apps, they would likely send a C&D letter. But for hobby projects, it’s not worth clamping down hard.
It's not clear to me how to actually get the required plist file to make this library work. Neither of the scripts in this issue seem to work: https://github.com/malmeloo/FindMy.py/issues/31
Is the syntax to run them just `swift <filename.swift>`?
Swift/ErrorType.swift:253: Fatal error: Error raised at top level: main.MyError.noPassword
Which version of MacOS are you using? I believe Apple has made changes to the keychain in the latest version which prevents the scripts from working properly.
The only Apple "device" I have regular access to is a hackintosh, so this stuff is frustratingly hard to debug. So far I've been relying on efforts from the community, but the scripts appear to be somewhat flaky and don't always work for everyone unfortunately.
It’s interesting, because it could allow you to log location over time. Generally, I can only see peoples location when I open the app, but this would allow me to ping every 30 minutes and create a very long log that I could technically create manually, but would be quite a bit of work.
Can I use this, if I have an iPhone, to trigger actions on a server based on my location?
For example, “When I come home, fetch the latest electricity prices and notify me if I should plug in my Tesla”.
I tried that using Shortcuts, but they won’t run location based without confirmation. (There are some workarounds, but they, too, don’t work reliably in my experience.)
If you literally mean when you return home, I’ve been running Shortcut automations triggered by leaving home and arriving home, using the built in “My Home” triggers. They don’t require confirmation and as best as I can tell have been completely reliable.
However, do note that AirTags put themselves into "nearby" mode when they're near an owner device, at which point they become untraceable to the FindMy network (the system where other iPhones are finding your AirTag and uploading its location). That also makes it invisible to this library. It is however still possible to detect it using the BLE signal it is broadcasting in nearby state, which is supported by the library but not yet by the HA integration.
As someone who lives in an Android family but would still like to use air tags since it's the biggest network in the U.S. I'd love a way to add and use air tags without needing to have an iPhone!
> Find My is an asset tracking service made by Apple Inc. that enables users to track the location of iOS, iPadOS, macOS, watchOS, visionOS, tvOS devices, AirPods, AirTags, and a number of supported third-party accessories through a connected iCloud account. Users can also show their primary device's geographic location to others, and can view the location of others who choose to share their location. Find My was released alongside iOS 13 on September 19, 2019, merging the functions of the former Find My iPhone (known on Mac computers as Find My Mac) and Find My Friends into a single app. On watchOS, Find My is separated into three different applications: Find Devices, Find People and Find Items.
> You can share your current location once, temporarily share your location while you're on the way to an expected destination, or share your ongoing Live Location... for an hour, until the end of the day, or indefinitely.
In Messages, you can use Check In to share your location... Your location is shared only if there's an unexpected delay during your trip or activity and you're unresponsive.
This is actually one of the big differences between generations. It’s not just the norm for young people to share locations, but rather almost expected, with real social consequences for not. Yes it’s probably a little weird to have someone’s precise location 100% of the time, but since you’re sharing it with me there’s a good deal of trust implied (though this is not always the case as it has become more normalized). However, if we stop sharing locations, that usually implies a divorce of the relationship. People will shut you out of their life if you stop sharing your location with them, no matter the reason. From that lens, the choice is simple. You’ve gotta share your location, even if it’s a bit icky from a privacy perspective or you risk losing an entire cohort of friends. I will admit, there is a strange level of intimacy for having done it. In a world increasingly dominated by the pixels on this 4x8 screen, it is a nice reminder that the text bubbles on my phone actually come from real people that I can show you on a map.
(Obviously you can find friends who don’t care for it and you can live a normal life and be just fine. I’m privacy conscious but I still share my location with a handful of friends for the above reasons.)
> People will shut you out of their life if you stop sharing your location with them
Is the implication of this that such people just don't interact with Android users? That seems like a significant self-imposed limitation. Or are Android phones just extremely unpopular in your area?
Yeah, I switched to an iPhone solely for the blue text bubbles. Among young women in my bubble, 98% have iPhones. I’d get sneers at bars from girls when my first text on their phone was green. People would complain openly about my phone ruining their group chats. While I preferred android tech, switching to iPhone was a no-brainer because it removed a lot of friction in social settings.
Blame the emotionally dysfunctional, not the tool. It’s only a problem if it changes how you would live your life or pressured or coerced (in which case, say no).
Importantly, it works in a peer-to-peer kind of way. Apple devices act as kind of beacons and nearby iPhones can notify Apple servers of any nearby devices they detect (in a way not decryptable by Apple, only by the owner of the devices).
So AirTags, MacBooks, and turned-off iPhones are findable via passing-by turned-on iPhones.
Is it not a glaring privacy and security hole that turned-off devices can still be located?
Maybe it's just me, but if I own an internet-connected device and I turn it off, I expect it to be off. That an iPhone's definition of "off" means "you can't use it but other random people's iPhones in the vicinity can still connect to and ping it" rubs me the wrong way.
Other phones in the vicinity don't connect to yours. Yours uses Bluetooth LE to periodically broadcast some data. Other phones in the vicinity relay that data along with the approximate location to Apple.
It is not. If you don’t want your device to participate, you ca elect not to enable Find My during setup. The vast majority of people would rather a their couldn’t just turn off a stolen phone and render it unlocatable.
Also the location is only accessible to you, the owner of the device. Not Apple or "random other people's iPhones".
The engineering and thought that went into the whole thing to be useful but also privacy protecting is actually pretty impressive, and exactly the kind of thing we should be encouraging companies to do if we care about privacy. Especially since as you point out, you can still easily turn it off at any point if you want.
I don’t use the person tracking very often except on group vacations, but I track a vehicle with an AirTag after a car theft for a little peace of mind (along with other preventative measures). Every now and then it’s handy for my own devices, too, including alerting me when I’ve accidentally left one behind at a non-routine location.
I'm not familiar with these tags, do they implement the FindMy protocol? If it's a proper 3rd party AirTag ("Works with FindMy") then it should be supported, see the AirTag example in the repository for more info.
I remember there was a time when “web services” were the new hotness and everybody was gonna offer some API to whatever they had online.
What happened to this? We’ve even got the authentication part nailed down now thanks to OAuth! There is even API gateways that you can park in front of your stack that manage all the hard parts like granting client secrets to API consumers and showing registration screens to developers.
There is really nothing stopping you from opening up parts of your stack to developers and tinkerers so they can do cool shit. It even gets people to lock into your product that much more because now they’ve integrated some part of their workflow into your system in a way that might not be possible without your service!
So yeah. You already have these API’s exposed for your front end apps to use. Why not just slam a developer portal on top and let people access some of it? Who knows what cool things they’ll cook up!
If the constraint is that you don't want to install any software, there are a bunch of these web based AirDrop clones, besides the ones mentioned here are two more:
Does it really need to be 168 files of code to do this? I don't know WebRTC, but wouldn't a single PHP file be enough to create the connection between the two devices?
Everyone who shares location with me does so over Find My, and my family insists on using AirTags. As a 100% desktop Linux and mobile Android user, it is one of the few things that I always need to remote in to my Mac Mini to access because there are no x-platform FindMy apps and the FindMy iCloud web app does not have feature parity to the macOS and iOS apps. One of a long list of offenses where Apple refuses to make things easy for x-platform friend groups and families. Very annoying.
reply