Apple's Spotlight Search Results Come With Engagement Metrics. No One Knew.
How Apple's Spotlight API exposes undocumented interaction data for every search result it serves to over a billion devices
When an iPhone user types a query into Spotlight, Apple's servers return ranked results spanning web pages, apps, maps, news, knowledge graph entities, and stock data. Alongside each web result, the server includes two undocumented fields: num_engaged and num_shown. The field names suggest these represent interaction counts and display counts for each result across Apple's user base, though Apple has not publicly documented their meaning.
These fields are not available through any public Apple API. They are not in Apple Maps, MapKit, Core Spotlight, or any developer-facing service. Whatever they measure, they are Apple's proprietary metrics attached to every search result served to over a billion devices.
The AI race, quantified by Apple
Querying Spotlight for each major AI product and reading the num_engaged and num_shown fields on their web results:
| Product | URL | Engaged | Shown | Rate |
|---|---|---|---|---|
| ChatGPT | chatgpt.com | 12,000,000 | 44,000,000 | 27.3% |
| ChatGPT | en.wikipedia.org/wiki/ChatGPT | 6,100,000 | 120,000,000 | 5.1% |
| Perplexity | perplexity.ai | 410,000 | 1,600,000 | 25.6% |
| Copilot | copilot.com | 140,000 | 1,600,000 | 8.8% |
| Claude | claude.com | 17,000 | 220,000 | 7.7% |
ChatGPT's engagement is 700x Claude's and 29x Perplexity's in absolute volume. But the engagement rates tell a different story: Perplexity nearly matches ChatGPT at 25.6% vs 27.3%, suggesting comparable intent density at a fraction of the scale.
Google's Gemini is absent from the web engagement data entirely. Querying "gemini" returns app results and Knowledge Graph entities but no web results with engagement metrics. Google's AI product is invisible in Apple's search engagement layer.
Autocomplete scores add another dimension. Perplexity scores 109,999, higher than ChatGPT's 79,999. Apple's model treats "perplexity" as a higher-intent query than "chatgpt."
The same metrics appear everywhere
The AI comparison is one application. The same fields appear on every web result the API returns:
| Query | Top result | Engaged | Shown |
|---|---|---|---|
| tesla | tesla.com | 1,100,000 | 5,700,000 |
| ozempic | ozempic.com | 250,000 | 5,000,000 |
| tiktok | tiktok.com/en | 1,100,000 | 8,700,000 |
| bitcoin | binance.com/en/price/bitcoin | 9,800 | 400,000 |
| tariffs | investopedia.com/.../tariff | 1,200 | 35,000 |
| layoffs | thelayoff.com | 40,000 | 230,000 |
Autocomplete predictions are also revealing. "Nvidia" autocompletes to "nvidia stock" (score 69,999), meaning Apple's model has learned that iPhone users searching "nvidia" are primarily interested in the stock price. "Bitcoin" autocompletes to "bitcoin price" (79,999).
The authentication model
Apple's Spotlight server-side component runs on api-glb-*.smoot.apple.com. Requests include three authentication components: an eat (encrypted authentication token) URL parameter, an X-Apple-Whitelisted-App-Signature header, and an X-Apple-UserGuid header.
Structural analysis of traffic from multiple devices raises questions about the strength of each.
The eat token is shared across devices. The same 64-byte token was observed in requests from four distinct device UUIDs, across three different edge nodes (ause1a, ause1b, ause2b), over a 48-hour window. The devices were in different US states. The token is not bound to a device, an IP address, or a TLS session. It functions as a regional bearer token.
The device signature is structured, not cryptographic. The X-Apple-Whitelisted-App-Signature blob has an entropy of 3.80 bits per byte, well below the threshold for encrypted or signed content. Every signature across 30+ devices shares the same magic bytes (0x82BD00) at offset 4 and the same capability flag structure in the tail. The device-specific prefix bytes are not a hash or HMAC of the payload. The structure is consistent with a capability descriptor, not a cryptographic credential.
The UUID is echoed, not validated. The X-Apple-UserGuid value appears verbatim in the response's feedback token (fbq), indicating the server stores whatever value is submitted without verifying it against a device registry.
What this is not
This is not a data breach. The API returns search results and aggregated metrics, not individual user data. No other user's search history, personal information, or Spotlight activity is accessible.
This is not a novel discovery that smoot.apple.com handles Spotlight queries. That has been publicly discussed since at least 2014. What has not been previously documented is that the response payloads include undocumented engagement metrics, and that the authentication model relies on shared regional tokens and structured device descriptors rather than per-device cryptographic credentials.
No automated scraping, bulk collection, or commercial use of this endpoint was conducted. All queries shown were manual, limited in scope, and performed for research purposes.
About the research
I have been getting inbound interest from researchers wanting to run their own queries against the dataset. The tooling in the research lets you analyze real mobile network traffic captured in the wild. If that could accelerate your security research, feel free to reach out at buchodi@proton.me