ZeroTrace AirLeak
Apple Continuity Decoding
Reading Apple device state in real time
Apple devices broadcast a remarkably rich set of signals over BLE that allow nearby Apple devices to coordinate — Continuity, Handoff, AirDrop, Find My, and more. AirLeak decodes these protocols and surfaces them as live device state.
This tutorial covers what's readable, what it tells you, and how to use it.
What's broadcast
Every iPhone, iPad, Mac, Watch, AirPods, and Apple TV continuously broadcasts one or more Continuity advertisements. The signals are public — they have to be, for the protocols to work — but most people don't realize how rich they are.
The most useful types AirLeak decodes:
| Type | What it carries | When you see it |
|---|---|---|
| Nearby Info | Action code, lock state, OS version, WiFi state | Constantly, every iPhone |
| Nearby Action | More-detailed action code | During specific user actions |
| AirDrop | Hash prefixes of Apple ID, phone, email | When AirDrop is set to Everyone or Contacts |
| Proximity Pairing | Model ID, battery state, lid state | AirPods, Beats |
| Find My | Tracker identity, separated state, battery | AirTags and Find My accessories |
| Handoff | Clipboard counter, encrypted payload | When you copy text on a paired Apple device |
| AirPlay Target | AirPlay-available state | Apple TVs, HomePods |
| Watch Companion | Pairing state, link health | Apple Watch ↔ iPhone |
| Magic Switch | Apple TV input switching | When changing inputs |
Reading "what's the phone doing right now"
The most engaging Continuity signal is the action code. It tells you, in real time, what the phone owner is doing.
Open any iPhone's detail page. Look at the Apple state section. The "Last action" field updates as the phone broadcasts.
Common action codes you'll see:
| Action | What's happening |
|---|---|
screen_on | The phone's screen just lit up — user picked it up or got a notification |
screen_off | Screen went to sleep |
mobile_data | Cellular data is in use right now |
tethering_source | Phone is acting as a hotspot |
tethering_target | Phone is connected to another phone's hotspot |
initiating_call_or_facetime | Outbound call ringing |
active_call_or_facetime | Currently on a call |
apple_pay | Apple Pay UI is open |
photos_screen | Photos app is open |
settings_screen | Settings app is open |
continuity_camera | Using iPhone as Mac webcam |
universal_control | Mouse moving between iPhone/iPad/Mac |
hand_off | Handoff a task between Apple devices |
nearby_setup | New-device setup flow |
watch_locked / watch_unlocked | Apple Watch lock state |
watch_paired | Apple Watch pairing state |
Watch the action chip while you use your own iPhone. You'll see it react to almost everything you do.
Reading the lock state
The Nearby Info advertisement includes a flag for whether the device's screen is currently unlocked.
In the device detail under Apple state:
Lock state: unlocked
The lock state is updated every advertisement (~1 second cadence). When you lock your phone (press the side button), the broadcast updates within 1–2 seconds and the chip changes.
This is fascinating to demonstrate to people: yes, your phone really does broadcast its lock state.
Reading the iOS version
Modern iPhones broadcast their iOS major version (16, 17, 18) in the Nearby Info advertisement.
In the device detail Identifiers section:
OS major: 18
This is enough information to know if a phone is running the current major version, last year's, or older. From a security perspective: a phone broadcasting OS major: 16 is on a deprecated version with known exploits.
The minor version (e.g. 18.0.3) is not broadcast — only the major.
Reading AirPods battery levels
AirPods broadcast their battery levels openly via Proximity Pairing (Type 0x07).
In the device detail Battery section:
Left: 80% ⚡ (charging)
Right: 80%
Case: 75%
The battery values update every time AirPods change state — opening the case, putting them in your ear, charging.
Lid open / closed is also surfaced via the status byte.
Reading AirDrop discoverability
If a nearby iPhone has AirDrop set to Everyone, AirLeak picks up AirDrop advertisements. The detail page shows hash prefixes:
AirDrop status: Everyone
AppleID hash: ab cd
Phone hash: 12 34
Email hash: 7e 81
These are short hashes — typically 16–24 bits each — and can be cracked offline back to plaintext within seconds. The fact that the phone is broadcasting them is itself a privacy concern, which is why iOS 16.2 changed the default to Contacts-only.
The airdrop_discoverable alert (severity 2) fires when a phone in Everyone mode is observed.
Reading Handoff state
Handoff is the protocol behind Universal Clipboard ("copy here, paste there") and Continuity-app handoff ("continue this email on your other device").
The detail page surfaces:
Handoff seq: 4
The sequence counter increments every time the user copies something on any paired device. Watching this counter in real time tells you when copy / paste actions are happening on the user's nearby Apple devices.
The actual clipboard content is encrypted — we can't read what was copied.
Reading Apple TV / HomePod state
Apple TVs broadcast AirPlay Target advertisements:
AirPlay status: available
Lock state: unlocked
Session: <session ID>
HomePods broadcast similar AirPlay Target plus their own Continuity signals. They appear in the device list as apple_tv or homepod accordingly.
Demonstration: watch your own iPhone live
This is the most compelling AirLeak demo:
- Connect AirLeak, switch to Monitor.
- Open your own iPhone's device detail page in the desktop.
- Pick up your iPhone. Watch the action chip change to
screen_on. - Lock the iPhone. Watch the lock state change to
locked. - Open Photos on the iPhone. Watch the action chip change to
photos_screen. - Make a call. Watch the chip transition to
initiating_call_or_facetimethenactive_call_or_facetime. - End the call. Watch the chip clear.
The reaction time is 1–2 seconds. It's a striking demonstration of what your phone says to the air constantly.
What this is useful for
- Privacy education — demonstrating to people what their own devices broadcast
- Security research — characterizing the leak surface of Apple devices
- Vendor-side QA — verifying changes in iOS reduce or change disclosure patterns
- Forensic timeline — reconstructing what an Apple device was doing at a specific time
What it's not useful for:
- Decryption — Continuity payloads include hash prefixes and encrypted handoff data; they're identifying but the actual content (clipboard, contact info) is protected
- Locating people — RSSI gives rough proximity but not position
- Tracking outside BLE range — Continuity is only readable within ~10–30 meters
Privacy implications
Apple Continuity is the most privacy-revealing protocol that consumer devices broadcast routinely. Every iPhone in the world emits these signals, and every BLE-capable receiver can decode them.
Apple has been gradually tightening what's broadcast (e.g. iOS 16.2 changing AirDrop default to Contacts-only after researchers showed how easy the hashes are to crack). But the fundamental design — broadcasting state for Continuity to work — is unlikely to change.
The privacy lessons:
- Don't carry an iPhone you'd rather not be observed — turn off Bluetooth in genuinely sensitive contexts
- Update iOS — old major versions broadcast more identifying information than new ones
- AirDrop Contacts-only or Off — never leave it on Everyone
The first time someone watches their own iPhone broadcast screen_on and screen_off in real time on AirLeak, they understand BLE privacy in a way no abstract explanation conveys. Try it as a teaching tool — it's how AirLeak makes the invisible visible.