Signal Scout — On-Device iOS Anti-Stalking & Surveillance Scanner (AirTag / BLE / Wi‑Fi / Ultrasonic)
Signal Scout is a privacy first iOS security research app that turns an iPhone into a local-only situational awareness tool for nearby wireless and sensor anomalies. It focuses on AirTag / Find My tracker detection, BLE beacon analysis, connected Wi‑Fi visibility, and ultrasonic beacon detection—with optional, high-noise sensors (magnetometer + camera reflection scanning) kept off by default.
Status: Development build. Not production-ready. Not approved for App Store distribution.
No cloud. No telemetry. No tracking SDKs. All processing happens on-device.
Signal Scout is built around three principles:
- Local-only by design — no network calls, no telemetry, no cloud correlation.
- Transparent limitations — iOS restrictions are documented clearly (for example, no BLE MAC addresses).
- Actionable output — prioritize detections that iPhone hardware + iOS APIs can support with reasonable signal quality.
If you want a research-grade iPhone AirTag detector, a BLE anomaly scanner, and a connected-network visibility tool that stays on your device, this is the direction.
- Detect and analyze Bluetooth Low Energy advertisements from nearby devices (CoreBluetooth)
- Identify known tracker families via service UUID + manufacturer data signatures (AirTag/Find My, Tile, SmartTag, etc.)
- Provide limited connected Wi‑Fi visibility (SSID/BSSID of the currently connected access point)
- Detect rapid BSSID churn on the same SSID (heuristic for suspicious/unstable access point behavior)
- Detect ultrasonic beacons (18–22 kHz) used for cross-device tracking/fingerprinting
- Correlate time-adjacent anomalies across sensors (low-specificity “multi-signal” flags)
- It does not perform true “RF bug sweeping” across radio spectrum bands (iPhone + iOS do not expose this)
- It does not capture Wi‑Fi frames, run monitor mode, or detect deauth attacks (not possible on iOS)
- It does not enumerate nearby Wi‑Fi networks (only the network you’re connected to)
- It does not detect GPS trackers reliably (magnetometer is not a GPS tracker detector)
-
Bluetooth Scanner (BLE)
Parses advertisements: manufacturer company IDs, service UUIDs, and basic heuristics. -
AirTag / Tracker Signature Matching
Matches against 52 known tracker patterns viatracker_signatures.json(AirTag/Find My, Tile, Samsung SmartTag, common beacon/dev boards). -
Network Scanner (Connected Wi‑Fi)
Reads SSID/BSSID for the currently connected AP and maps BSSID → vendor via local OUI database. -
Ultrasonic Analyzer
FFT analysis for 18–22 kHz beacons with debounce thresholds to reduce noise.
-
Magnetometer Scanner
High false positives (keys, magnets, speakers, metal furniture). Useful mostly for controlled testing. -
Camera Reflection Scanner (Visible Light)
Detects bright reflections using the LED torch and frame analysis. This is a reflection scan, not a true IR detector. -
Motion EMF Scanner
Experimental correlation of motion + magnetic anomalies; limited real-world value.
| Target | Primary Method | Effectiveness | False Positives | Default |
|---|---|---|---|---|
| AirTag / Find My (known signature) | BLE service UUID match | High | Low | On |
| Tile / SmartTag (known patterns) | Service UUID + manufacturer data | High | Low–Medium | On |
| Unknown persistent BLE device | Time-based persistence heuristic | Medium | Medium | On |
| Ultrasonic tracking beacon | FFT in 18–22 kHz | Medium | Low–Medium | On |
| Connected Wi‑Fi AP visibility | SSID/BSSID + vendor lookup | High | Low | On |
| Rogue AP (heuristic only) | Rapid BSSID churn on same SSID | Low | High | Partial |
| Hidden camera (generic) | Reflection scan (visible) | Low | Very High | Off |
| GPS tracker | Magnetometer | None | Very High | Off |
Detection results are signals, not proof. Expect false positives—especially on the optional scanners.
Signal Scout emits normalized events from each scanner, then optionally correlates them inside a short time window.
| Sensor | Method | Output |
|---|---|---|
| Bluetooth (BLE) | CoreBluetooth advertisement parsing | Company IDs, service UUIDs, heuristic flags |
| Wi‑Fi (Connected only) | CNCopyCurrentNetworkInfo |
SSID, BSSID, vendor via OUI lookup |
| Magnetometer | CoreMotion @ 20Hz | Deviation from rolling baseline |
| Camera | AVFoundation + torch toggles | Bright reflections in a grid scan |
| Microphone | FFT (Accelerate/vDSP) | Ultrasonic peaks 18–22 kHz |
| Correlation | Temporal clustering | Multi-sensor anomaly flags |
Apple’s platform security model intentionally limits passive scanning. Signal Scout is built inside those constraints:
-
No BLE MAC addresses
CoreBluetooth does not expose BLE MAC addresses. Expect randomized identifiers and privacy-preserving behavior. -
No nearby Wi‑Fi enumeration
iOS apps cannot list nearby SSIDs/BSSIDs. You only get the currently connected network. -
No monitor mode / packet capture
No Wi‑Fi frame capture, no deauth detection, no radiotap-level analysis. -
No Bluetooth Classic scanning
CoreBluetooth is BLE-focused; BR/EDR discovery is not available the same way.
- Local-only processing: all detection and scoring runs on-device
- No network calls: no telemetry, no analytics, no cloud correlation
- Local storage only: scan history stored in the app sandbox
- User-controlled export: JSON export for your own sharing/research workflows
- No obfuscation: code is auditable
- macOS 13+
- Xcode 14.3+
- iOS 16+ SDK
- Physical iPhone required (simulator lacks real sensor behavior)
- iPhone on iOS 16.0+
git clone <repository-url>
cd signal-scoutopen SignalScout.xcodeproj- Select the project in Xcode
- Select the
SignalScouttarget - Signing & Capabilities:
- Enable “Automatically manage signing”
- Pick your Development Team
- Update Bundle Identifier if needed (example:
com.yourname.signalscout)
Ensure these exist and are included under Copy Bundle Resources:
oui.json(797 entries)tracker_signatures.json(52 patterns)
- Build:
Cmd+B - Run:
Cmd+R
Free Apple Developer accounts require re-signing every 7 days.
To access Wi‑Fi SSID/BSSID reliably in production, Apple requires:
com.apple.developer.networking.wifi-info
<key>com.apple.developer.networking.wifi-info</key>
<true/>Apple review notes (high-level):
- Strong justification is required
- A privacy policy is required
- Approval is not guaranteed
- Bluetooth: required for BLE scanning
- Location (When In Use): required for Wi‑Fi info access + GPS tagging
- Microphone: required for ultrasonic detection
- Camera: required for reflection scanning
Without Location permission, Wi‑Fi info may return no results even with entitlement.
- Enabled: Bluetooth, Tracker Matching, Connected Wi‑Fi, Ultrasonic
- Disabled: Magnetometer, Reflection, Motion EMF
tracker_signatures.jsondefines service UUID and manufacturer-data patterns- OUI vendor mapping is from
oui.json(local database)
- Add a local allowlist for known benign devices (headphones, watches, fitness trackers)
- Tighten persistence thresholds in noisy environments
- Keep optional scanners off unless you’re testing in a controlled setting
SignalScout/
├── App/
│ ├── SignalScoutApp.swift
│ └── ContentView.swift
├── Core/
│ ├── ScanCoordinator.swift
│ ├── ManufacturerLookup.swift
│ ├── TrackerSignatures.swift
│ ├── CorrelatedAnomalyEngine.swift
│ ├── ScanHistoryManager.swift
│ └── PermissionManager.swift
├── Services/
│ ├── BluetoothScanner.swift
│ ├── AirTagScanner.swift
│ ├── NetworkScanner.swift
│ ├── WiFiHoneypotScanner.swift
│ ├── MagnetometerScanner.swift
│ ├── MotionEMFScanner.swift
│ ├── IRReflectionScanner.swift
│ └── AudioAnalyzer.swift
├── Models/
│ ├── DeviceModel.swift
│ └── ScanResult.swift
├── Views/
│ ├── ScanSummaryView.swift
│ ├── SignalMeterView.swift
│ ├── MapView.swift
│ ├── TutorialView.swift
│ ├── PermissionsOnboardingView.swift
│ ├── ErrorStateView.swift
│ ├── EmptyStateView.swift
│ ├── LoadingOverlay.swift
│ └── FeatureButtonStyle.swift
├── Extensions/
│ ├── UIDevice+SSID.swift
│ ├── CLPlacemark+Address.swift
│ └── CIImage+Brightness.swift
├── Helpers/
│ ├── HapticManager.swift
│ ├── AppTheme.swift
│ ├── BatteryMonitor.swift
│ └── ScannerDescriptions.swift
├── Networking/
│ └── UDPBroadcastListener.swift
├── Resources/
│ ├── oui.json
│ ├── tracker_signatures.json
│ └── Assets.xcassets/
└── SignalScout.entitlements
Planned / considered improvements (while staying local-only):
- Expand tracker signature coverage and add structured tests for signatures
- Better device allowlisting and per-environment presets (home / office / travel)
- Improved correlation model (time + proximity + repetition) with clearer explanations
- Export options (CSV / SQLite) for research workflows
- Scan scheduling (within iOS constraints)
This is a research project under Business Source License 1.1.
Contributions accepted for:
- Bug fixes
- Tracker signature additions
- Detection algorithm improvements
- Documentation corrections
Not accepted:
- Monetization features
- App Store preparation
- Analytics / tracking
- Cloud services or telemetry
Bug reports should include:
- iPhone model + iOS version
- Steps to reproduce
- Which scanners were enabled
- Sample exported JSON (if safe to share)
Business Source License 1.1 (BSL 1.1)
Permitted:
- Personal use
- Security research
- Academic study
- Source review
Prohibited:
- Commercial distribution
- App Store publication
- Monetization
- Production deployment
See LICENSE for full terms.
Signal Scout provides situational awareness, not certainty. Results are constrained by iOS API restrictions and consumer hardware limits. False positives can be frequent, especially with magnetometer and camera reflection scanning.
This project is not a substitute for professional security assessment. If you believe you’re being targeted, consider a broader response plan (device review, account security, physical inspection, and professional support).