Common Workflows

Recipes for the most common things people do with AirLeak. Each recipe is a step-by-step walkthrough — copy the steps, follow along.

---

Recipe 1: Find an AirTag that may be following you

Goal: Determine if any tracker has been with you for hours.

1. Connect AirLeak. Switch to Monitor.
2. Take it with you through your normal day (commute, errands, etc.).
3. At the end of the day, open Insights → Trackers.
4. Look at the Multi-hour followers card.
5. If empty: no trackers have been with you long enough to alert. You're clear.
6. If non-empty: each entry is a tracker that triggered the alert.
   • Click each one for the device detail.
   • Check the linked-MACs list and observation count.
   • Mark as own if it's yours, family's, or a known device.
   • For unknown ones, see Tracker Detection → Catching a tracker that's following you.

Time: Run all day. 5 min review.

---

Recipe 2: Audit your own iPhone's privacy

Goal: See exactly what your iPhone broadcasts and reduce leaks.

1. Connect AirLeak. Switch to Monitor.
2. Open Devices → BLE.
3. Search for your iPhone's name.
4. Click the row to open detail.
5. Check each section:
   • Header — is the name personal? Rename in iOS Settings → General → About → Name.
   • Apple state — note OS major version (current?), action codes (working as expected).
   • Probed SSIDs — expand. Note any corporate, hotel, airport SSIDs you'd rather not broadcast.
6. Open iOS Settings → WiFi → Edit. Forget networks revealed in the probed list that you don't need.
7. Check Settings → General → AirDrop. Set to Contacts only if not already.
8. (Optional) Mark the device as own in AirLeak.

Time: 15 minutes.

---

Recipe 3: Quick "who's around me" check

Goal: See what's nearby in a new space (hotel, conference room, AirBnB).

1. Connect AirLeak. Switch to Monitor.
2. Wait 60 seconds.
3. Open Insights → Distribution. Read the class breakdown.
4. Open Devices → BLE. Use filter chips to drill in:
   • Trackers — anything left in the room?
   • Smart Home — what's connected here?
   • Phones — how many people are around?
5. Open Devices → WiFi. Check the encryption posture of the local network.

Time: 5 minutes.

---

Recipe 4: Catch a stranger's network history

Goal: Understand what probe-requests reveal about people in a public space.

1. Connect AirLeak in a public space (coffee shop, train station, conference).
2. Switch to Monitor. Wait 5 minutes.
3. Open Insights → Network leakage.
4. Look at Top probed SSIDs. Each one is a network somebody nearby has joined.
5. Click any SSID to see the devices that probed for it.
6. Click any device to see its full probed-SSID set in detail.

Privacy reminder: This data is sensitive. Don't publish or share strangers' SSID histories. See Probe Analysis → Responsible practices.

Time: 10 minutes.

---

Recipe 5: Detect an evil-twin AP

Goal: Check if a network you trust is being impersonated.

1. Connect AirLeak. Switch to Monitor.
2. Wait 60 seconds.
3. Open Devices → WiFi.
4. Search for your network's SSID.
5. If multiple BSSIDs appear with the same SSID:
   • Click each.
   • Compare encryption (legitimate is WPA2-Enterprise → rogue is WPA2-Personal?)
   • Compare vendor IEs (legitimate has Cisco/Aruba IEs → rogue is generic?)
6. Open Alerts. Filter by deauth_burst.
   • If it fired during your time in this space, that's another rogue-AP signal.

Time: 5 minutes.

---

Recipe 6: Watch your own iPhone's state in real time (demo)

Goal: Demonstrate to someone what their phone broadcasts.

1. Connect AirLeak. Switch to Monitor.
2. Open the target iPhone's device detail page.
3. Pick up the iPhone. Watch the action chip change to screen_on.
4. Lock the iPhone. Watch lock state become locked within 1–2 s.
5. Open Photos. Watch action become photos_screen.
6. Make a call. Watch action go through initiating_call_or_facetime → active_call_or_facetime.
7. End the call. Watch chip clear.

This is the most striking AirLeak demo — most people don't believe their phone broadcasts these states until they see it live.

Time: 5 minutes.

---

Recipe 7: Audit your home network's security

Goal: Confirm your home WiFi is set up securely.

1. Connect AirLeak in your home. Switch to Monitor.
2. Wait 60 seconds.
3. Open Devices → WiFi.
4. Find your network. Click for detail.
5. Check:
   • Encryption — should be at least WPA2-Personal (ideally WPA3-Personal or mixed)
   • MFP — required (WPA3) or capable (WPA2). NOT off.
   • WPS — should NOT be enabled (WPS-PIN is brute-forceable)
   • BSS Load — number of associated stations. Higher than expected = someone using your network without permission?
   • Country IE — should match your country
6. Fix any concerns by logging into your router admin and adjusting settings.

Time: 10 minutes.

---

Recipe 8: Capture a forensic record of an event

Goal: Save a verifiable record of what was around you at a specific time (for security research, legal documentation, or insurance).

1. Connect AirLeak. Switch to Monitor.
2. Open Sessions. Note the new session ID and start time.
3. Capture for the duration of the event.
4. Switch to Setup to finalize the session.
5. Rename the session: e.g. Office Break-in 2026-05-07 night.
6. Download JSON and Download summary from the session menu.
7. Store the JSON file securely. The session ID is unique and includes capture-time metadata.

The JSON is a complete record — every device, event, alert, and heartbeat. Suitable for forensic submission.

Time: 1 minute setup + capture duration.

---

Recipe 9: Run a long overnight capture

Goal: Capture overnight without overflowing the unit's memory.

1. Connect AirLeak. Switch to Monitor.
2. Adjust settings for long-running:

   airleak-throttle 2000        # double the throttle to reduce stream pressure
   airleak-channels 1,6,11      # only non-overlapping channels
   airleak-scan-window 50       # half-duty BLE to free memory headroom
   

3. Confirm the unit is plugged into a stable USB port (not battery).
4. Leave the desktop app running on a screen-locked machine.
5. In the morning, switch back to Setup to finalize the session.

The unit will run smoothly for 12+ hours with these settings even in a moderately dense environment.

Time: 2 minutes setup + overnight.

---

Recipe 10: Mark all your own devices

Goal: Tell AirLeak which devices are yours so future captures filter them out.

1. Connect AirLeak. Switch to Monitor.
2. Bring out every device you own that broadcasts BLE: phone, laptop, AirPods, watch, AirTags, smart speakers, etc.
3. Wait 2 minutes for them to populate the device list.
4. For each, click in the device list, then click Mark as own in the header.
5. Add a note for each (AirTag on keys, Daughter's iPhone).
6. Future captures will exclude these from multi_hour_follower scoring and label them in the library.

Time: 15 minutes (one-time setup).

---

Recipe 11: Check encryption of every WiFi at a venue

Goal: Get a quick read on a venue's WiFi security posture.

1. Connect AirLeak at the venue. Switch to Monitor.
2. Wait 60 seconds.
3. Open Devices → WiFi.
4. Apply filter: Open networks. See if anything appears.
5. Apply filter: WEP. See if anything appears.
6. Apply filter: MFP off. See which APs lack MFP.
7. Apply filter: With WPS. See which APs have WPS-PIN enabled.
8. Open Alerts. Filter by severity ≥ Medium. See WiFi-related alerts (wep_network_near, wpa_personal_only, deauth_burst, etc.).

Time: 5 minutes.

---

Recipe 12: Build a personal device library over time

Goal: Have AirLeak recognize your regular devices automatically.

1. First few captures — switch to Monitor for ~1 hour each, in places you're regularly (home, office). Don't filter or change anything.
2. After 5 sessions — open Insights → Library. You'll have ~50–200 devices.
3. Mark your own — open detail, Mark as own, add notes. Spend 5–10 minutes on this.
4. Label others — family, coworker, unknown for context.
5. From here forward — your captures recognize known devices instantly. Multi-hour-follower alerts only fire on truly new entities.

Time: Cumulative, but only ~20 minutes of marking once you have a few sessions.

---