Apple Watch and similar devices collect extensive health data, yet users lack data sovereignty due to Apple’s closed ecosystem, and the proprietary Bluetooth protocol harbors undisclosed security vulnerabilities. Method: This work presents the first systematic reverse-engineering of the Apple Watch Bluetooth communication protocol, uncovering privacy leaks and authentication bypass flaws in its pairing and synchronization mechanisms. Leveraging these insights, we design and implement a lightweight, cross-platform Bluetooth protocol stack for Android, enabling secure pairing and health data synchronization. Contribution/Results: Our solution breaks vendor lock-in by achieving interoperability between Apple Watch and Android devices, empowering users with controllable data export and on-device processing capabilities. It demonstrates the feasibility of open, secure interconnection for wearables and establishes a novel paradigm for research on wearable interoperability and privacy-preserving system design.

Smartwatches such as the Apple Watch collect vast amounts of intimate health and fitness data as we wear them. Users have little choice regarding how this data is processed: The Apple Watch can only be used with Apple's iPhones, using their software and their cloud services. We are the first to publicly reverse-engineer the watch's wireless protocols, which led to discovering multiple security issues in Apple's proprietary implementation. With WatchWitch, our custom Android reimplementation, we break out of Apple's walled garden -- demonstrating practical interoperability with enhanced privacy controls and data autonomy. We thus pave the way for more consumer choice in the smartwatch ecosystem, offering users more control over their devices.