Protect against malicious AirTags (and some other tracking devices)

Author Christian Reading time 4 minutes

Photo by cottonbro studio:

When Apple introduced the AirTag (see Wikipedia) it was primarily marketed as a "Find your device/stuff" product. Allowing you to locate the item to which the AirTag is attached, even when it's hundreds of meters (or kilometers) away. As long as there is some Apple device which receives the Bluetooth signal and forwards this to the Apple servers, you will have the location of the device. Of course, depending on time passed and location it can be inaccurate. But in our connected world it's likely that some device will pick up the signal again and you'll have up-to-date location information.

Additionally AirTags can produce a sound, so that you can get a audio hint on where the device is.

AirTags do have many useful cases. From tracking your stolen bike (if you hide some AirTag on/in it), to locating your lost luggage at an airport.. Even pets! Sure this is useful. But sadly.. The principle of dual usability is real and hence even in the beta phase Apple already rolled out a feature that allowed you to view all AirTags in your vicinity. As the potential for illegitimate usages was too high, to simply ignore it. After all.. Watch someone retrieving money at an ATM, occasionally bump into this person and put an AirTag into the jacked of that person. And then just follow and wait until this person is in some place where there are no cameras and/or eyewitnesses. Or think about the whole stalking and Online-Dating problem.

No, AirTags can be a security and privacy disaster. I'm sure many of you have read the story about Lilith Wittmann, who used an Apple AirTag to uncover an office of a secret german intelligence agency (article on or read the original german article, published by herself, here: Bundesservice Telekommunikation — enttarnt: Dieser Geheimdienst steckt dahinter.

Ok, so Apple has this feature included in iOS for it's phones/tablets, etc. - What about Android?

Good things first: Apple and Google recognized the threat and are working together towards an industry specification which aims to put an end to stalking via AirTag and similar devices. But, as this has just been announced in May 2023, it's still too early to have produced any meaningful results (sadly).

Apple press release:
Google blog post in their security blog: 

Well, Android being the fragmented Android market it is, not every manufacturer has such an option included. I know that Google Pixel devices have such a feature. And I was told Samsung and OnePlus phones too. But there are many other Android versions around. And: What about custom ROMs? I use LineageOS on my OnePlus phone and wasn't able to find such a feature. That's why I searched for an app that does this for me, and was pleasantly surprised to find one.

AirGuard is even released for iOS and there it's also able to find trackers which Apples feature won't detect. So.. I guess this is a recommendation to install this app on iOS too.

Introducing AirGuard

AirGuard is an Android app, developed by the Secure Mobile Networking Lab (SEEMOO) which is part of the Technical University of Darmstadt - specifically their computer science department. You may have heard from them occasionally as they regularly find security vulnerabilities in Apple products and do a lot of research on Bluetooth and Bluetooth security. The neat point? AirGuard is OpenSource, it's code is being published on GitHub. This allows me to install the App using F-Droid (which only offers OpenSource apps).

The icing on the cake? It can not only track Apple AirTags, but Samsung SmartTags and Chipolo Tags too.

From here it's just a normal app installation. Allow the app to use Bluetooth, disable battery saving mechanisms (so it stays active while being executed in the background) and that's it.

As I own no AirTag or similar device I can't test it, but I will update this article when I was able to test this.

If you want to stay up-to-date with the development, there is a Twitter account for that: