Apple’s Find My protocol claims strong privacy guarantees, yet its closed-source nature renders security contingent solely on vendor trust. Method: We present the first complete symbolic modeling and formal verification of the protocol using the Tamarin prover, constructing a precise symbolic model and automatically verifying critical security properties—including location privacy, resistance to tracking, and key confidentiality—under standard cryptographic assumptions, without black-box assumptions or vendor assertions. Contribution/Results: Our machine-checked analysis rigorously confirms that the protocol satisfies its core security promises at the design level. It uncovers previously unrecognized logical edge cases and delivers the first publicly reproducible, independently auditable formal security proof for Find My. This work establishes a methodological benchmark for trustworthy evaluation of proprietary protocols, advancing verifiable assurance in privacy-critical systems.

Tracking devices, while designed to help users find their belongings in case of loss/theft, bring in new questions about privacy and surveillance of not just their own users, but in the case of crowd-sourced location tracking, even that of others even orthogonally associated with these platforms. Apple's Find My is perhaps the most ubiquitous such system which can even locate devices which do not possess any cellular support or GPS, running on millions of devices worldwide. Apple claims that this system is private and secure, but the code is proprietary, and such claims have to be taken on faith. It is well known that even with perfect cryptographic guarantees, logical flaws might creep into protocols, and allow undesirable attacks. In this paper, we present a symbolic model of the Find My protocol, as well as a precise formal specification of desirable properties, and provide automated, machine-checkable proofs of these properties in the Tamarin prover.