How Apple Airtags Work?
There is a small white disc sitting on your key ring right now. It weighs eleven grams. It has no GPS chip, no cellular radio, and no Wi-Fi antenna. Its battery lasts over a year. And yet, if you drop your keys somewhere in downtown Tokyo, there is a very good chance you will get an accurate location update within minutes, without Apple ever knowing where your keys are.
That combination of properties is not magic. It is one of the most carefully engineered consumer-scale distributed systems in the world, and the design decisions behind it touch almost every interesting area of modern infrastructure: Bluetooth Low Energy networking, end-to-end encrypted relay systems, crowd-sourced location discovery, ultra-wideband spatial positioning, privacy-preserving cryptography, and a globally distributed event pipeline spanning hundreds of millions of devices.
This blog walks through the full internal architecture of Apple AirTags, from the radio signals pulsing out of the hardware to the cloud infrastructure that receives, processes, and delivers location events back to owners. By the end, you should understand not just what AirTags do, but why each system is designed the way it is, what the tradeoffs are, and how this infrastructure scales to a network of over a billion Apple devices.
What Apple AirTags Are and Why They Matter
Before AirTags, tracking a lost item typically meant relying on GPS. GPS trackers work reasonably well outdoors but require cellular or Wi-Fi connectivity to upload their position, have batteries measured in days or weeks, and broadcast their presence loudly to anyone listening. They also cost more, require SIM cards in some cases, and fundamentally cannot work indoors where GPS signals are too weak.
AirTags sidestep all of that. Instead of using their own GPS or cellular connection, they hitchhike on the massive installed base of Apple devices around them. An AirTag sitting inside a bag on a train broadcasts a short Bluetooth Low Energy advertisement packet. Every iPhone and iPad nearby receives that advertisement, silently looks up the AirTag’s rotating public key, uses it to encrypt the current GPS position of the iPhone, and uploads that encrypted blob to Apple’s servers. The AirTag’s owner can then download that blob, decrypt it with the matching private key that only they hold, and recover the location.
The elegance is that Apple’s servers receive an encrypted blob and a hashed key identifier. They can match the blob to a specific AirTag for retrieval purposes, but they cannot decrypt the location. The relaying iPhone does not know it helped track someone else’s item. The AirTag does not know where it is. The privacy properties are not marketing language; they are architectural constraints baked into the cryptographic design.
That is a genuinely hard problem to solve at scale, and it is why AirTags became a landmark in consumer IoT design rather than just another item tracker.
Core Features of Apple AirTags
Understanding the features before the architecture helps frame why certain design decisions were made.
- Item tracking through passive Bluetooth advertisement broadcasting with no active connection required.
- Precision Finding using Ultra Wideband radio to guide the user to within centimeters of the AirTag when physically nearby.
- Crowd-sourced location relay through the Find My network, enabling location updates even when the AirTag is far from the owner.
- Lost Mode, which sends a notification to the owner when the AirTag is detected by any device in the Find My network.
- Anti-stalking protections including audible alerts, cross-platform detection apps, and automatic notifications to non-Apple users when an unknown AirTag has been traveling with them.
- End-to-end encrypted location data ensuring Apple cannot read location history even though it routes the relay traffic.
- Over-a-year battery life from a single CR2032 coin cell, achieved through extremely aggressive power management of the BLE radio.
- Seamless onboarding via NFC-assisted pairing that ties the AirTag to an Apple ID through Apple’s identity infrastructure.
Each of these features creates engineering constraints that shape every layer of the system architecture.
High-Level AirTag Architecture
The full system has four major planes: the AirTag hardware itself, the network of finder devices (iPhones, iPads, Macs), the Apple cloud backend, and the owner’s device where location is ultimately decrypted and displayed.
Notice what is missing from this diagram: there is no direct connection from the AirTag to Apple’s servers. The AirTag never talks to the internet. It only talks to nearby Bluetooth devices, and those devices do the heavy lifting of uploading location data on its behalf. This architectural choice is central to the entire system’s viability. It means the AirTag needs no internet radio, no cellular modem, and no persistent network connection. The battery cost stays minimal.
The tradeoff is that location freshness depends on how many finder devices are physically near the AirTag. In a dense urban area with thousands of iPhones passing by every hour, location updates arrive very frequently. In a rural area with few Apple devices, updates may be sparse or delayed. The system’s coverage is essentially a function of Apple device density in the physical world.
Bluetooth Low Energy Deep Dive
Bluetooth Low Energy is the backbone of AirTag communication, and understanding it well explains most of the hardware design decisions.
BLE was designed specifically for devices that need to communicate infrequently and at low data rates while consuming minimal power. Unlike classic Bluetooth, which maintains persistent connections, BLE uses a broadcast-and-listen model. A device can broadcast tiny advertisement packets (typically 31 bytes of payload) on one of three advertising channels at a configurable interval, and other devices can passively scan for those packets without establishing any connection.
An AirTag operates almost entirely in advertiser mode. It wakes up, broadcasts a small packet containing a rotating identifier derived from its current public key, and goes back to sleep. This cycle repeats roughly every two seconds. The actual radio-on time per cycle is measured in milliseconds. The rest of the time, the processor and radio are in deep sleep, consuming microamps of current. Over the year-long battery life, the AirTag’s power budget is dominated not by any single high-energy operation but by the accumulated cost of millions of these tiny wakeup cycles.
The advertisement interval is an interesting engineering tradeoff. Shorter intervals mean more frequent broadcasts, which increases the chance that a passing iPhone detects the AirTag quickly. But shorter intervals also mean more wakeup cycles per hour, draining the battery faster. Longer intervals save power but increase the latency before a passing finder device detects the AirTag. Apple appears to have settled on an interval that balances detection probability with battery life, and the system tolerates the resulting staleness because the use case does not demand sub-second location freshness for most scenarios.
When an iPhone is scanning for BLE advertisements, it does not need to be actively looking. iOS runs a background BLE scan continuously, and when the Find My system receives an advertisement that matches the format of a tracked item, it processes it transparently. The user of the finder iPhone never sees this happening. There is no UI, no notification, no drain on the visible battery indicator beyond what background processing normally costs.
One subtlety worth noting: BLE uses three dedicated advertising channels (channels 37, 38, and 39) specifically to minimize interference with Wi-Fi, which occupies the same 2.4 GHz band. These advertising channels are positioned in spectrum gaps between the primary Wi-Fi channels. AirTags rotate through all three advertising channels each cycle, which gives any nearby scanner a good chance of receiving the packet regardless of which channel it happens to be listening to at any given moment.
The signal strength (RSSI) of the received advertisement also carries useful information. A stronger signal means the AirTag is physically closer. While BLE RSSI is notoriously noisy, averaging multiple readings over time can give a rough distance estimate, and iOS uses this information to display a directional hint in the Find My app even before UWB Precision Finding is activated.
Find My Network Architecture
The Find My network is essentially a crowd-sourced location relay system at planetary scale. As of recent estimates, there are over a billion Apple devices in active use worldwide. Every iPhone, iPad, and Mac running a recent version of iOS or macOS participates in the Find My network as a passive relay, uploading location information on behalf of any tracked AirTag it detects.
The coordination problem this creates is interesting. Apple needs hundreds of millions of devices to participate in background scanning and uploading without those devices knowing whose items they are tracking, without meaningful battery impact, and without requiring explicit user consent for each individual relay operation. Users consent once during device setup to participate in the Find My network, and after that the system runs invisibly.
From a distributed systems perspective, the Find My network is a push-based, opportunistic relay system with no guarantees about delivery timing, relay overlap, or coverage density. It is designed for eventual consistency, not real-time tracking. The owner expects to know roughly where their item was within the last few minutes or hours, not the exact current position updated every second.
The relay architecture has an important deduplication problem. If an AirTag sits in a busy coffee shop for an hour, dozens of iPhones may detect it and upload location events. Apple’s servers would receive dozens of encrypted blobs representing essentially the same location. The system needs to handle this gracefully: store enough events to ensure the owner gets a recent location, but not store unlimited duplicates indefinitely.
Apple addresses this partly through upload throttling on the finder device side. An iPhone that has already recently uploaded a location event for a given AirTag key will not upload another one immediately. The local device maintains a lightweight record of recently relayed identifiers and suppresses redundant uploads within a time window. This reduces server load and network usage without meaningfully degrading location freshness from the owner’s perspective.
Encrypted Location Relay System
This is where the system gets genuinely sophisticated. Apple had to solve a hard problem: enable relay devices to report the location of items they detected, without revealing to Apple what item was detected, who owns it, or where it was. The solution uses public-key cryptography in a clever way.
When an AirTag is paired with an owner’s Apple ID, a master secret key is generated on the owner’s device and stored there and on the AirTag. From that master secret, a large family of public/private key pairs is derived deterministically. The AirTag rotates through these public keys over time, broadcasting a different one every fifteen minutes in the identifier included in its BLE advertisement.
When a finder iPhone detects the advertisement, it extracts the current public key identifier, captures its own GPS location, and uses that public key to encrypt the location data. It then uploads the encrypted blob to Apple’s servers along with a hash of the public key. Apple’s servers store the blob indexed by the key hash.
When the owner wants to know where their AirTag is, their device requests the encrypted blobs associated with the known key hashes for that AirTag’s current rotation window. Apple’s servers return the blobs without being able to read them. The owner’s device has the private keys corresponding to those public keys, decrypts each blob locally, and recovers the original GPS coordinates.
The key rotation is crucial for privacy. If the AirTag broadcast the same identifier indefinitely, any observer with a BLE scanner could track its physical movement over time by following that identifier through space. By rotating the identifier every fifteen minutes, the AirTag becomes unlinkable across rotation windows to any observer who does not have the master secret. Different finder devices that detect the same AirTag in different time windows upload blobs with different key hashes, and only the owner can link them together because only the owner knows the derivation sequence.
This design means Apple’s servers hold a table of encrypted blobs keyed by opaque hashes. Apple cannot tell which blobs belong to the same AirTag, which AirTag corresponds to which user, or what location data any blob contains. The privacy guarantees are not dependent on Apple choosing not to look; they are dependent on Apple being technically unable to look without breaking the encryption.
Ultra Wideband and Precision Finding
BLE gives you a city-block-level location. Ultra Wideband gives you sub-meter accuracy. These two radios serve fundamentally different purposes in the AirTag system, and it is worth understanding why both are necessary.
Ultra Wideband is a radio technology that uses very short pulses spread across a very wide frequency spectrum, typically hundreds of megahertz or more. Because the pulses are so short, the time it takes a signal to travel from transmitter to receiver can be measured very precisely, on the order of a few nanoseconds. Since radio signals travel at the speed of light, nanosecond time precision translates to centimeter-level distance precision. This technique is called Time of Flight ranging.
When the owner is physically near their AirTag and activates Precision Finding, the iPhone’s U1 chip (or its successor) engages in a UWB ranging exchange with the AirTag. The U1 measures the time of flight to the AirTag and reports an accurate distance. Because the iPhone can also measure the angle of arrival of the UWB signal, the system can combine distance and angle to give directional guidance: the arrow on the Precision Finding screen points toward the AirTag and the distance readout updates in real time as the user moves.
| Property | Bluetooth Low Energy | Ultra Wideband |
|---|---|---|
| Range | Up to ~100m outdoors | Up to ~10m typical |
| Position accuracy | Several meters (RSSI-based) | 10 to 30 centimeters |
| Direction finding | Limited, angle of arrival optional | Yes, precise angle of arrival |
| Power consumption | Very low | Moderate, active ranging only |
| Use case | Background discovery and relay | Active guided recovery |
| Interference sensitivity | Medium, shares 2.4 GHz | Low, wide spectrum spread |
| Indoor performance | Degraded by multipath | Good, robust to multipath |
UWB is not used for background relay because the power cost of continuous UWB ranging would drain the AirTag’s coin cell in days rather than years. UWB activates only on demand when the owner opens the Precision Finding interface. The rest of the time, the AirTag uses BLE exclusively.
Indoor positioning is a famously hard problem. GPS signals are too weak inside buildings. Wi-Fi-based positioning has meter-level accuracy at best. UWB solves the last-meter problem that GPS and BLE cannot address. When you know your item is somewhere in a room but cannot see it, the directional arrow and distance readout turn the search into a game you can win in under a minute.
Device Pairing and Authentication
Pairing an AirTag to an Apple ID needs to be simple enough that any consumer can do it in under thirty seconds, while establishing a cryptographic identity that cannot be forged or hijacked. Apple solved this with NFC-assisted onboarding backed by iCloud authentication infrastructure.
When you bring a new AirTag close to an iPhone, the NFC field triggers an initial communication that bootstraps the BLE connection. Once the BLE link is up, the AirTag and iPhone perform a mutual authentication handshake using a shared secret provisioned at the factory. This confirms that the device is a genuine Apple AirTag rather than a counterfeit or rogue tracker. The iPhone then registers the AirTag with iCloud, associating the master public key with the owner’s Apple ID and storing the private key material in the owner’s iCloud Keychain with end-to-end encryption.
From a security standpoint, the critical property is that the private key material never leaves the owner’s trusted devices. It lives in the Secure Enclave on iPhone hardware and in the encrypted iCloud Keychain blob. Even if someone compromised Apple’s servers, they could not recover the private keys needed to decrypt location events.
Anti-replay protection matters here too. If an attacker captured the pairing exchange and replayed it later, could they steal ownership? The handshake includes nonces (random values used once) that ensure each pairing exchange is unique. A replayed message from a prior session fails validation because the expected nonce does not match.
Real-Time Tracking Pipeline
“Real-time” is a relative term for AirTags. The pipeline is designed around a latency budget of minutes rather than seconds, which allows for batch uploads, asynchronous processing, and significant optimization opportunities that a truly real-time system could not exploit.
The pipeline works as follows. An AirTag broadcasts continuously. Finder devices detect advertisements during background BLE scans. After detecting a relevant advertisement, a finder device captures its current location, encrypts it, and queues the encrypted blob for upload. The upload happens opportunistically when the device has network connectivity, typically over Wi-Fi or cellular within seconds to minutes. Apple’s servers ingest the upload, associate it with the hashed key identifier, and make it available for retrieval.
The owner’s Find My app polls for new location events at configurable intervals, or receives push notifications when a new event arrives. The app decrypts the most recent blob and updates the map.
The queuing step on the finder device is important for reliability. If the device has no network at the moment of detection (common in underground transit, for example), the event sits in a local queue and uploads the next time connectivity is available. This means a finder device that was offline briefly will eventually deliver its relay even after the window has passed. Location history is thus more complete than it might initially seem.
Location freshness degrades in proportion to the time since the last finder device detected the AirTag. In dense cities, freshness is typically measured in minutes. In remote areas, it can be hours or days. The system is honest about this uncertainty: the Find My app shows the time of the last known location, not a claimed real-time position.
Anti-Stalking and Privacy Systems
AirTags created a serious dual-use problem from the beginning. A technology designed to help people find their keys is also, in the wrong hands, a tool to covertly track people. Apple had to build anti-stalking protections into the system architecture itself, not just as afterthoughts.
The core protection is the unknown tracker alert. iOS and Android (via Apple’s Tracker Detect app, later embedded in Android’s operating system) continuously scan for AirTags that are traveling with a device but are not registered to the device’s owner. If an AirTag has been near a particular person for an extended period, separated from the owner it is registered to, the non-owner receives a notification that an unknown AirTag has been traveling with them.
The detection logic is more nuanced than it first appears. An AirTag sitting in a store owner’s shop will be near many customers each day, but it is not following any single customer. The system avoids false positives by requiring the AirTag to have been consistently near the same non-owner device across time and space, establishing a pattern of co-movement rather than simple proximity.
When the three-day alert timer expires on a stationary AirTag (separated from its owner), the AirTag also begins emitting an audible chirping sound, making it physically discoverable even for someone without a smartphone.
The tradeoff here is interesting. A more aggressive detection threshold catches more stalking scenarios but generates more false positives, annoying users and eroding trust in the system. A more lenient threshold fails to catch sophisticated stalking where someone places an AirTag briefly. Apple has adjusted these parameters over time based on real-world reports of both missed detections and false positives, which is an ongoing empirical engineering challenge.
The privacy system also had to be designed carefully to avoid introducing new privacy problems in the act of solving existing ones. The unknown tracker alert needs to work even for Android users who do not have an Apple ID. Apple’s approach was to build the detection into the Bluetooth scanning layer of Android, later partnering with Google to integrate this functionality directly into Android itself, so that any Bluetooth-capable Android device can detect unknown trackers without requiring a special app.
Geo-Location and Position Estimation
The location stored in an encrypted relay blob is not the AirTag’s location. It is the finder device’s location at the moment it detected the AirTag. This distinction matters for accuracy.
On an iPhone with clear sky view, GPS accuracy is typically two to five meters. Inside a building, the iPhone falls back to Wi-Fi positioning using Apple’s large database of Wi-Fi access point geolocations, which can give ten to fifty meter accuracy. In dense urban canyons or areas with poor GPS, accuracy degrades further. In the worst case, cellular tower triangulation provides city-block-level accuracy of a hundred meters or more.
| Positioning Method | Typical Accuracy | Works Indoors | Power Cost | Latency |
|---|---|---|---|---|
| GPS | 2 to 5 meters | No | High | Cold start 30-60s, warm start 1-3s |
| Wi-Fi positioning | 10 to 50 meters | Yes | Medium | Under 1 second |
| Cellular triangulation | 50 to 300 meters | Partial | Low | Under 1 second |
| UWB Precision Finding | 10 to 30 centimeters | Yes | Medium | Real-time continuous |
| BLE RSSI estimation | 1 to 5 meters approximate | Yes | Very low | Real-time with averaging |
The system implicitly trusts the finder device’s self-reported location. This creates an interesting attack surface: a malicious finder device could report false GPS coordinates in the encrypted blob. Since the blob is encrypted with the AirTag’s public key, Apple cannot validate the location inside it. The owner would receive a plausible-looking but incorrect location. This is a known limitation of the architecture. The mitigation is that the incentive to do this at scale is unclear, and the find My network’s consensus effect means multiple independent relays from real devices usually outweigh any single bad actor.
Database and Storage Design
Apple’s Find My backend needs to store encrypted location blobs, device identifiers (in hashed form), pairing records, and safety alert data. The schema design is constrained by two forces pulling in opposite directions: the need to efficiently retrieve events by key hash, and the need to avoid storing data that could reveal the relationship between items, owners, and locations.
A simplified schema for the core entities looks like this:
-- Encrypted location events uploaded by finder devices
CREATE TABLE location_events (
id UUID PRIMARY KEY,
key_hash BYTEA NOT NULL, -- SHA-256 of current public key
encrypted_blob BYTEA NOT NULL, -- GPS data encrypted with public key
uploaded_at TIMESTAMPTZ NOT NULL,
ttl_expires_at TIMESTAMPTZ NOT NULL -- Events expire after 24 hours
);
CREATE INDEX idx_location_events_key_hash ON location_events (key_hash, uploaded_at DESC);
-- Rotating public key hashes per AirTag, owned by the owner's device
CREATE TABLE device_key_hashes (
id UUID PRIMARY KEY,
airtag_token BYTEA NOT NULL, -- Opaque token, not a plain Apple ID
key_hash BYTEA NOT NULL,
valid_from TIMESTAMPTZ NOT NULL,
valid_until TIMESTAMPTZ NOT NULL
);
CREATE INDEX idx_device_key_hashes_token ON device_key_hashes (airtag_token, valid_from);
-- Safety alerts for non-owner devices detecting unknown trackers
CREATE TABLE safety_alerts (
id UUID PRIMARY KEY,
alert_type TEXT NOT NULL, -- UNKNOWN_TRACKER, SEPARATED_OWNER
key_hash BYTEA NOT NULL,
first_seen_at TIMESTAMPTZ NOT NULL,
last_seen_at TIMESTAMPTZ NOT NULL,
alert_sent_at TIMESTAMPTZ
);
-- Relay participation record for throttling
CREATE TABLE relay_throttle (
finder_token BYTEA NOT NULL, -- Hashed device identifier
key_hash BYTEA NOT NULL,
last_relayed_at TIMESTAMPTZ NOT NULL,
PRIMARY KEY (finder_token, key_hash)
);
Notice that the server-side schema never stores Apple IDs in plaintext next to device identifiers. The link between an owner’s identity and a specific AirTag lives only in the owner’s iCloud account, encrypted. The server knows an opaque token maps to some set of key hashes. It cannot determine which user that token belongs to without querying the iCloud identity system separately, with appropriate authentication.
Location events are short-lived. Apple retains them for roughly 24 hours before expiration. This data minimization policy limits the exposure window if the server is ever compromised, and it reflects the fact that location history older than 24 hours is rarely needed for finding a lost item (if it is, the AirTag will have generated new events since then).
For geo-spatial indexing, the encrypted blob means Apple’s servers cannot index by location. All spatial queries happen on the decrypted data on the owner’s device. This is an unusual database design constraint forced by the privacy architecture: you cannot build a PostGIS index on data you cannot read.
Event-Driven Architecture
The volume of location events flowing through Apple’s infrastructure is enormous. With over a billion finder devices, even if each device relays one event per day on average, that is a billion write operations per day to the location events table, roughly twelve thousand writes per second sustained, with significant spikes during peak hours.
A synchronous write path from finder device to relational database would not survive this volume. The architecture almost certainly uses an event streaming layer as a buffer between the upload endpoint and the storage backend.
The event streaming layer provides durability guarantees: even if a downstream consumer crashes, the event is retained in the stream and reprocessed when the consumer recovers. It also enables fan-out, where a single upload event is consumed by multiple independent consumers: the storage consumer, the deduplication consumer, the safety alert consumer, and potentially analytics pipelines.
The deduplication consumer needs to identify and collapse multiple relays of the same AirTag detection from nearby devices within the same time window. This is fundamentally a windowed aggregation problem. The consumer groups events by key hash within rolling time windows and stores only the most recent or highest-quality relay, discarding lower-confidence duplicates.
Caching System Design
Location lookup is a read-heavy workload once the event writing infrastructure is handled. When an owner opens the Find My app, they want their AirTag’s last known location immediately, not after a database scan through millions of records.
| Cache Layer | What Is Cached | TTL | Purpose |
|---|---|---|---|
| Device metadata cache | AirTag token to key hash mapping | 15 minutes (key rotation window) | Avoid repeated key hash lookups |
| Latest event cache | Most recent encrypted blob per key hash | 5 minutes | Fast retrieval for owner app polling |
| Throttle cache | Finder token plus key hash last relay time | Match throttle window, typically 10 min | Prevent redundant relay uploads in memory |
| Authentication token cache | Validated session tokens | Session lifetime | Avoid repeated iCloud auth round-trips |
Cache invalidation for the latest event cache is event-driven. When the event streaming consumer stores a new location event for a key hash, it also invalidates or updates the cache entry for that key hash. This keeps the cached value fresh without requiring the owner’s app to bypass the cache on every poll.
The throttle cache is interesting because it needs to be shared across all ingest API nodes. A finder device might upload to any of thousands of ingest servers globally due to load balancing. If the throttle check were local to each server, the same device could relay the same AirTag event to all thousand servers before any throttle kicked in. The throttle cache must be distributed, either in a Redis cluster or similar shared in-memory store, and the write must be atomic to prevent race conditions.
Scalability Deep Dive
Scaling the Find My network means scaling several distinct subsystems that have very different bottleneck profiles.
The BLE side scales naturally because it is fully distributed. Each AirTag broadcasts independently, and each finder device scans independently. There is no coordination needed between AirTags or between finder devices. The BLE layer scales with the number of devices in the physical world, and Apple has the largest such network in existence.
The ingest API is the first potential centralized bottleneck. With billions of potential uploads per day, horizontal scaling behind a global load balancer is essential. The ingest service needs to be stateless so any server can handle any upload without needing to consult a shared state before processing. Authentication token validation should be cached. Database writes should be asynchronous through the event stream.
The event stream itself needs to be partitioned carefully. Partitioning by key hash ensures that all events for the same AirTag are processed by the same consumer, which makes deduplication efficient. But if certain AirTags are in extraordinarily high-traffic locations (an airport, for example), the partition holding that key hash might become a hot spot. Careful partition assignment with hotspot mitigation is needed.
| Subsystem | Primary Bottleneck | Mitigation Strategy | Scaling Model |
|---|---|---|---|
| BLE broadcasting | Device radio power budget | Optimized advertisement interval | Fully distributed, no central bottleneck |
| Ingest API | Upload request throughput | Stateless horizontal scaling, async writes | Horizontal with global load balancing |
| Event stream | Partition hotspots | Dynamic partition rebalancing | Horizontal partition scaling |
| Location storage | Write volume and read latency | Sharding by key hash, TTL-based expiry | Sharded with time-based partitions |
| Owner retrieval API | Cache miss rate | Distributed cache, push notifications to reduce polling | Horizontal with shared cache layer |
| Safety alert pipeline | Complex co-movement detection logic | Windowed streaming aggregation | Streaming compute with state stores |
Multi-region deployment is critical for both latency and availability. A finder device in London should upload to a European data center, not traverse the Atlantic to reach a US-based server. Apple operates a global CDN and infrastructure footprint that naturally provides geographic affinity. Events generated in a region are stored in that region initially, and the owner’s retrieval request is routed to the region holding the data, or the data is asynchronously replicated to the owner’s home region.
Reliability and Availability
The Find My network’s reliability model is interesting because it tolerates significant imperfection at every layer. AirTags will miss broadcast cycles due to interference. Finder devices will miss advertisements because they were not scanning at that exact moment. Uploads will be delayed by connectivity gaps. None of this is catastrophic because the use case does not require continuous real-time tracking.
The reliability engineering focuses on ensuring that across the many opportunities per day to relay a location, enough successful relays happen to give the owner a usefully recent location. A system that is 90% reliable at any individual relay attempt will successfully relay multiple times per hour in a reasonably populated area. The redundancy comes from the sheer number of independent relay opportunities.
For the server infrastructure, standard practices apply: multi-region active-active deployments with cross-region replication, health checks with automatic traffic failover, circuit breakers on downstream dependencies, and aggressive monitoring of ingestion rates, relay latencies, and decryption failure rates on the owner side.
Stale location is the primary reliability concern from the user’s perspective. The system should display the timestamp of the last known location prominently so users can assess whether the information is actionable. A location from thirty seconds ago is very different from one from eight hours ago, and the UI should make this unambiguous.
Security Architecture
The security architecture of AirTags needs to protect against several distinct threat models.
Against Apple itself: the encryption design ensures Apple cannot read location data even with full server access. This is the strongest guarantee and is achieved through the public-key relay design described earlier.
Against the relay network: finder devices upload encrypted blobs and cannot read them. Even a compromised finder device can only submit incorrect location data, not steal the AirTag owner’s real location from the relay.
Against physical attackers: an AirTag that is physically found and examined does not reveal its owner’s identity. The device stores keying material but not the owner’s Apple ID or contact information. The serial number can be used to contact Apple, who can in turn notify law enforcement if a legal request is made, but this path requires deliberate action and judicial oversight.
Against cryptographic attacks: AirTags use elliptic curve cryptography for key derivation and public-key encryption. The specific curves and key lengths are not publicly documented by Apple, but the design follows industry best practices for efficient embedded-device crypto.
The Secure Enclave on iPhone plays a critical role in protecting the owner’s private key material from extraction. Even if an attacker had code execution on the owner’s iPhone, the Secure Enclave’s hardware isolation prevents direct key extraction. Key operations happen inside the enclave and results are returned, but the raw key bytes never leave the enclave.
| Threat | Mitigation | Residual Risk |
|---|---|---|
| Apple reads location data | End-to-end encryption, Apple holds no private keys | Metadata correlation attacks (theoretical) |
| Finder device reads location | Location encrypted before upload, finder has no private key | Finder reports false location in encrypted blob |
| Identifier tracking across rotations | 15-minute key rotation makes identifier unlinkable | Sufficiently dense observer network could correlate rotations |
| Physical AirTag analysis | No owner info stored on device, keying material protected | Serial number can link to Apple record with legal process |
| Replay attacks on pairing | Nonce-based handshake prevents replay | Physical device theft before pairing |
| Covert stalking | Unknown tracker alerts, audible chirp after separation | Short-duration covert placement window |
Engineering Tradeoffs
Every design decision in the AirTag system reflects a tradeoff that could have been made differently with different consequences.
BLE advertisement interval versus battery life is the most fundamental tradeoff. A two-second interval gives good detection probability with finder devices scanning at typical intervals. A one-second interval would give better detection at roughly double the wake-up power cost. Apple could have chosen ten seconds to dramatically extend battery life, but detection probability in sparse areas would drop significantly. The chosen interval represents Apple’s judgment about where acceptable user experience meets acceptable battery life.
Privacy versus discoverability is a structural tension. A more aggressive anti-stalking system that detected unknown trackers within minutes rather than hours would better protect potential victims. But it would also generate false positives, for example, when a parent tracks a child who visits a friend, or when a piece of luggage travels through an airport near the same passenger for several hours. Apple has adjusted this window over time, and it remains genuinely difficult to calibrate.
Location freshness versus power consumption is solved architecturally by using finder devices for all location reporting. The AirTag itself never uploads anything. But freshness is then limited by the density of finder devices nearby and the upload latency from those devices. In sparse areas, there is no engineering trick that fixes this: the physics of BLE range and the distribution of Apple devices in the world are the binding constraints.
Anonymous relay versus operational complexity is an interesting case where privacy engineering adds genuine infrastructure complexity. If relays were not anonymous, the deduplication problem would be simpler, the throttling mechanism would be simpler, and abuse detection would be easier. Every privacy-preserving design element adds implementation complexity and testing surface. The system’s designers chose to accept this complexity because the privacy properties were non-negotiable requirements, not nice-to-haves.
Real-World Technology Stack
The technologies underlying a system like AirTags reflect both the constraints of the hardware and the scale of the backend.
On the AirTag hardware, the radio stack is likely a custom Apple SoC combining BLE (Bluetooth 5.0 or later), UWB (the U1 chip technology), and NFC into a single low-power package. Firmware is likely written in C or C++ for memory efficiency and predictable timing. The cryptographic operations use hardware acceleration built into the SoC.
On the iOS side, Core Bluetooth provides the BLE scanning APIs that the Find My system builds on. The UWB ranging APIs are exposed through the Nearby Interaction framework. The Find My background daemon is a native Swift or Objective-C process running with elevated background execution privileges. Location encoding and encryption happen in a security-sensitive extension with access to the Secure Enclave via the CryptoKit framework.
On the backend, the ingest API is almost certainly built on a horizontally scalable framework capable of handling millions of requests per second, deployed globally behind Apple’s CDN infrastructure. The event streaming layer resembles Apache Kafka architecturally, though Apple likely operates a proprietary equivalent. Storage uses a combination of distributed key-value stores for the short-lived location events and relational stores for device identity and ownership records. Redis or a compatible distributed cache handles the throttle layer and latest-event cache. The notification delivery system likely integrates directly with Apple Push Notification Service infrastructure.
System Design Interview Perspective
When an interviewer asks you to design an AirTag-like system, they are testing whether you can reason about several challenging distributed systems problems simultaneously. Here is how to approach it.
Start by clarifying the requirements. What is the latency budget? Do you need real-time location or eventual consistency with minutes of lag? What are the privacy requirements? How many devices and AirTags are in scope? Getting these answers changes the architecture significantly.
Walk through the data flow before jumping to components. Explain how an event travels from the AirTag to the owner’s screen. Interviewers want to see that you understand the end-to-end system before you start optimizing individual pieces.
Address privacy proactively. Most candidates describe a tracker system and only address privacy if asked. Strong candidates explain the encryption design and key rotation scheme as part of the core architecture, because privacy is not a feature you bolt on later.
Discuss the interesting failure modes. What happens when there are no finder devices near the AirTag? What happens if the owner’s private key is compromised? What happens if an attacker uploads fake relay events? Showing you have thought about failure modes demonstrates production-level thinking.
For the interview’s scalability discussion, identify the distinct bottleneck regimes. The BLE layer scales differently from the ingest API, which scales differently from the event pipeline, which scales differently from the storage layer. Each has different characteristics and solutions. Conflating them into a single “scale horizontally” answer signals shallow thinking.
Common mistakes to avoid: designing a system that uploads raw GPS coordinates to a server the owner queries, without any encryption; ignoring the power constraints of the AirTag hardware; proposing a GPS chip in the AirTag (candidates who suggest this either did not think about power or do not know that GPS requires its own active network connection to be useful); and failing to discuss the anti-stalking requirements, which is a major part of the real system and a rich source of interesting design discussion.
A strong answer will describe the BLE-only AirTag broadcasting rotating public-key-derived identifiers, the crowd-sourced relay network, the end-to-end encrypted relay design, the key rotation scheme, and the anti-stalking notification pipeline. It will discuss approximate latency budgets, the tradeoff between privacy and real-time tracking, and the scalability challenges of processing billions of relay events per day.
The goal is to leave the interviewer feeling that you have genuinely thought about how this system works in production, not that you have recited a list of buzzwords. The best system design discussions feel like conversations between engineers who have both operated systems at scale.
Closing Thoughts
Understanding how AirTags work is, in one sense, understanding how to build a privacy-preserving distributed sensor network that runs entirely on borrowed compute and power from devices you do not own. The key insight is that Apple’s billion-device installed base is not just a sales metric; it is a piece of infrastructure that can be put to work solving a real engineering problem in a way that would be impossible for any smaller operator.
The cryptographic architecture that makes privacy guarantees hold under adversarial conditions is a template for any system that needs to route information through untrusted intermediaries. The BLE power optimization techniques apply to any battery-constrained IoT device. The crowd-sourced relay model is relevant to any location-aware system trying to cover the physical world without building dedicated hardware infrastructure.
Every design decision in AirTags serves either the goal of battery life, privacy, accuracy, or scale. When you understand why those goals create tension with each other, and how the specific design choices resolve those tensions, you understand not just AirTags but the broader principles of building location-aware distributed systems at global scale.