Artifacts for "Okay Google, Where’s My Tracker? Security, Privacy, and Performance Evaluation of Google’s Find My Device Network"

This repository contains information about the artifacts for the accepted PETS 2025 paper "Okay Google, Where’s My Tracker? Security, Privacy, and Performance Evaluation of Google’s Find My Device Network". Our artifacts are split across multiple repositories, as we have several artifacts that contribute to this paper.

Paper Abstract

In May 2024, Google launched the Find My Device Network (FMDN), an offline-finding network (OFN) that allows lost Bluetooth devices, such as trackers or headphones, to be located using billions of Android devices as finders. Similar to Apple's Find My network, it is activated by default on all modern Android devices. Google promises end-to-end encryption for all location updates and to protect the privacy of finder devices as well as owners of lost devices and trackers. Although Android is open-source, the FMDN is part of the Google Play Services and only partially publicly specified. We reverse-engineer the proprietary parts of the network, document its behavior, and analyze its privacy, security, and performance. We find several security and privacy issues, including denial-of-service attacks and a potential linkage attack on Android. We further implement a custom app, porting Google's trackers from Android to iOS while also extending the existing features.

Parts of this repository

• Evaluation: As shown in the paper, we tested Google's FMDN against Apple's Find My network. The evaluation scripts and raw data can be found in the data folder (see below).
• We also implemented code to query FMDN trackers and code that can be used to create trackers based on a custom firmware. This code can be found in the GoogleFindMyTools Repository

Evaluation Data

To compare Google's offline-finding network with Apple's Find My network, we built custom trackers and recorded all received location reports from users in the offline-finding networks. Then, we compared the location reports with an actual GPS trace that was recorded on an iPhone. Our results can be found in the paper, while the raw data and the Python scripts to compute the results are part of this repository.

How to run the scripts used for the evaluation

• Clone this repository: git clone https://github.com/seemoo-lab/Artifacts-for-Okay-Google-Where-is-My-Tracker.git or download the ZIP file, and cd into the directory
• Optional: Create venv: python -m venv venv
• Optional: Activate venv: venv\Scripts\activate (Windows) or source venv/bin/activate (Linux & macOS)
• Install all required packages: pip install -r requirements.txt
• Start the program by running evaluator.py: python evaluator.py or python3 evaluator.py

After the program has been executed, it will print the metrics shown in the paper (Number of Locations, Accuracy, ...). In addition, the program generates a map for each route. Those maps can be found in the data directory as HTML files.

Code

In our paper, we reverse-engineer and demonstrate a reimplementation of several functionalities of the Google Find My Device network. Our reimplementation is available as open-source Python scripts on GitHub as the GoogleFindMyTools project.