MAC address randomization joins Apple's heap of iOS 8 privacy improvements
With consumers growing more conscious about protecting their privacy, Apple has begun tackle the issue head on with numerous enhancements to its next-generation mobile operating system including a new feature that makes it more difficult to track and identify individual iOS devices.
Beginning with iOS 8, Apple's handheld devices will generate and use random Media Acccess Control, or MAC, addresses -- rather than their real MAC address -- when scanning for Wi-Fi access points. The change was announced in a closed session at the company's Worldwide Developers Conference and first called out by security researcher Frederic Jacobs.
MAC addresses are unique identifiers that allow devices to distinguish between one another on a network. Typically, every network interface has its own MAC address -- on an iPhone, that means one each for the Bluetooth and Wi-Fi radios.
When scanning for wireless networks, client devices like the iPhone periodically broadcast identifying packets that include the MAC address. In recent years, a number of firms have taken advantage of these broadcasts to track individual devices as they move around -- for example, some retail outlets use MAC address-based tracking to record the path that consumers take as they move through the store, allowing long-term measurement of shopping habits and better placement of sale materials and advertising.
There are also other, more benign uses for MAC address tracking. The city of Houston's TranStar traffic monitoring system, for instance, uses the MAC addresses from Bluetooth devices to measure traffic flow on city streets.
Though it is generally difficult to tie MAC addresses to specific people without some other connection, the privacy implications of MAC address tracking have been the subject of increasing debate. Apple's solution would effectively neuter the practice of long-term tracking by randomizing the MAC address shown during each round of scanning, a feature that many in the privacy community have been pushing for some time.
The new MAC randomization system is the latest in a line of privacy-focused moves from Apple that have come to light as developers digest the wealth of material offered at last week's Worldwide Developers Conference.
Most visible among those change is iOS 8's new "While Using" location privacy option. The new setting allows users to restrict apps from determining their location unless the app is in active use, preventing apps from collecting location data in the background unless explicitly authorized to do so.
Also new in iOS 8 is support for DuckDuckGo, an alternative search engine that promises not to track its users' searches or internet history. Additionally, Apple has opened the iPhone 5s's Touch ID authentication system for use by third-party apps, further enhancing security while increasing convenience.
Taken together, Apple's recent moves suggest a renewed focus on security and privacy that could pay dividends as its competitors come under increasingly heavy fire from governments and privacy advocates.
Beginning with iOS 8, Apple's handheld devices will generate and use random Media Acccess Control, or MAC, addresses -- rather than their real MAC address -- when scanning for Wi-Fi access points. The change was announced in a closed session at the company's Worldwide Developers Conference and first called out by security researcher Frederic Jacobs.
MAC addresses are unique identifiers that allow devices to distinguish between one another on a network. Typically, every network interface has its own MAC address -- on an iPhone, that means one each for the Bluetooth and Wi-Fi radios.
When scanning for wireless networks, client devices like the iPhone periodically broadcast identifying packets that include the MAC address. In recent years, a number of firms have taken advantage of these broadcasts to track individual devices as they move around -- for example, some retail outlets use MAC address-based tracking to record the path that consumers take as they move through the store, allowing long-term measurement of shopping habits and better placement of sale materials and advertising.
Beginning in iOS 8, Apple's mobile devices will broadcast random MAC addresses to foil long-term tracking
There are also other, more benign uses for MAC address tracking. The city of Houston's TranStar traffic monitoring system, for instance, uses the MAC addresses from Bluetooth devices to measure traffic flow on city streets.
Though it is generally difficult to tie MAC addresses to specific people without some other connection, the privacy implications of MAC address tracking have been the subject of increasing debate. Apple's solution would effectively neuter the practice of long-term tracking by randomizing the MAC address shown during each round of scanning, a feature that many in the privacy community have been pushing for some time.
The new MAC randomization system is the latest in a line of privacy-focused moves from Apple that have come to light as developers digest the wealth of material offered at last week's Worldwide Developers Conference.
Most visible among those change is iOS 8's new "While Using" location privacy option. The new setting allows users to restrict apps from determining their location unless the app is in active use, preventing apps from collecting location data in the background unless explicitly authorized to do so.
Also new in iOS 8 is support for DuckDuckGo, an alternative search engine that promises not to track its users' searches or internet history. Additionally, Apple has opened the iPhone 5s's Touch ID authentication system for use by third-party apps, further enhancing security while increasing convenience.
Taken together, Apple's recent moves suggest a renewed focus on security and privacy that could pay dividends as its competitors come under increasingly heavy fire from governments and privacy advocates.
Comments
Another way to look at this might be that if accurate tracking of iOS users is desired, a fee-based agreement with Apple must be made.
Is there any evidence that Apple wants to sell copy these MAC addresses per device and then sell these lists? Wouldn't that also mean the MAC addresses can't truly be random, but rather just give each device a large pull to pull from in order for the lists to still yield accurate results?
I don't see any reason for Apple to think this paltry gain in sales would outweigh the backlash if they were caught doing this. I think the only reasonable conclusion is that Apple does care about your privacy because they know that will help them sell more devices.
They won 't be able to do this of course. It would fly against their historic stance on privacy protection, and future health-related efforts.
Easy choice.
what's it got to do with google?
mac address randomization simply removes the ability to use the device for certain useful functions that require a known mac address, mac filtering is also a handy way to winnow out chaff in a multi layer security implementation
it will not stop apple tracking you, or me, or anyone else who uses one of it's devices, apple does this, read the privacy policy, you can opt out of certain applications of that tracking, but assuming the privacy policy is accurate you cannot opt out of being tracked, which is ok, it's the 21st century, it's how things are
they're all at it to some extent, tracking consumers to give 'recommendations' is part of apples business
doesn't mean apple is bad
randomizing mac addresses looks more like a cunning attack on competing non-apple tracking vendors, which as a stockholder i applaud
but i'm not fussed either way, it really makes no difference
As privacy gets more and more rare I think companies like Google and Facebook will struggle more and those that don't make their money from ads will find it harder to compete with companies like Apple, which is why I'm surprise Apple doesn't tout these privacy features more.
They won 't be able to do this of course. It would fly against their historic stance on privacy protection, and future health-related efforts.
Agreed. This random MAC feature makes sense for the forthcoming HealthKit apps. It's bad enough to be bombarded by ads via MAC harvesting (Google), but it's a whole different level of privacy invasion if the ads become "scare tactic" health-related ads ("your blood pressure is too high - buy this now!").
It makes me wonder what Tizen does with Samsung Gear's personal health info.
They [Apple] won 't be able to do this of course. It would fly against their historic stance on privacy protection, and future health-related efforts.
Just like Google won't share such information either.
Apple isn't demonstrating a distinction between it and Google, other than implementing a mechanism that Google hasn't yet for maintaining proprietary tracking data on users.
Another way to look at this might be that if accurate tracking of iOS users is desired, a fee-based agreement with Apple must be made.
theres not data to indicate that, so that way of looking at it would be incorrect.
Just like Google won't share such information either.
Apple isn't demonstrating a distinction between it and Google, other than implementing a mechanism that Google hasn't yet for maintaining proprietary tracking data on users.
please put down the nitrous-filled balloon. your brain needs oxygen...
I also use MAC address restrictions to limit access to networks and assign IP addresses via DHCP.
I'm guessing that iOS will be able to pass actual MAC addresses to designated wifi connection points and spoof the others.
This is also interesting, in that developers may no longer ascertain the MAC address of network interfaces on iOS devices their apps are installed on...
This was done to preserve user privacy and prevent unique id / device tracking.
It's pretty despicable that this services offer the so called 'free Wi-Fi' model to lure users to get on their networks but they use the MAC address to track everything associated to that user. It's not hard for them to glean enough data on you to make a profile that they can reverse and figure out exactly who you are. I hate that cities like Seattle, Washington; Boulder, Colorado, etc, have all these wifi devices installed in the areas and they can monitor everything you do. No privacy whatsoever!!!
Apple is closing down this avenue, so only Apple will know your whereabouts... and can improve iAds and iBeacons accordingly. I expect Google will do the same. Neither company likes to entertain freeloaders of the data they collect on users.
Where I live, I'm within range of somewhere around 40 wifi networks. I use MAC address filtering to keep strange devices off my network, and don't broadcast my SSID partly out of politeness (so there aren't 41 networks showing up for my neighbours).
How is a random MAC address going to work for me? Even if it knows to broadcast it's "real" MAC address to my home network, it doesn't necessarily know when it's in range of my home network. Am I going to be forced to turn off some part of my security system in order to get my iPhone 6 to work?
I suppose, you could do some elaborate hand-shake where it probes for the home SSID with a random MAC address, then when it gets the rejection switches to the real one, but that seems to be overcomplicating things. Another option could be to geo-fence your home network, but that may not be terribly reliable...
I definitely agree with you. I am sure the MAC address masking will be circumvented somehow by advertisers and the like. I really hope someone makes a tweak that can hide the MAC address and also default Tor protection
These features only exist in the pre-release software for iOS8. You talk like it's already out there being used.
When iOS8 is released along with the new iPhones, THEN it will be news.
This isn't the first time Apple has failed to put in the limelight something I felt was noteworthy for security. Do you want to make a bet on whether devotes presentation time to this feature when they go over iOS 8 again during the iPhone/iPad special event?