MAC address randomization joins Apple's heap of iOS 8 privacy improvements

Posted:
in iPhone edited August 2015
With consumers growing more conscious about protecting their privacy, Apple has begun tackle the issue head on with numerous enhancements to its next-generation mobile operating system including a new feature that makes it more difficult to track and identify individual iOS devices.




Beginning with iOS 8, Apple's handheld devices will generate and use random Media Acccess Control, or MAC, addresses -- rather than their real MAC address -- when scanning for Wi-Fi access points. The change was announced in a closed session at the company's Worldwide Developers Conference and first called out by security researcher Frederic Jacobs.

MAC addresses are unique identifiers that allow devices to distinguish between one another on a network. Typically, every network interface has its own MAC address -- on an iPhone, that means one each for the Bluetooth and Wi-Fi radios.

When scanning for wireless networks, client devices like the iPhone periodically broadcast identifying packets that include the MAC address. In recent years, a number of firms have taken advantage of these broadcasts to track individual devices as they move around -- for example, some retail outlets use MAC address-based tracking to record the path that consumers take as they move through the store, allowing long-term measurement of shopping habits and better placement of sale materials and advertising.
Beginning in iOS 8, Apple's mobile devices will broadcast random MAC addresses to foil long-term tracking
There are also other, more benign uses for MAC address tracking. The city of Houston's TranStar traffic monitoring system, for instance, uses the MAC addresses from Bluetooth devices to measure traffic flow on city streets.

Though it is generally difficult to tie MAC addresses to specific people without some other connection, the privacy implications of MAC address tracking have been the subject of increasing debate. Apple's solution would effectively neuter the practice of long-term tracking by randomizing the MAC address shown during each round of scanning, a feature that many in the privacy community have been pushing for some time.

The new MAC randomization system is the latest in a line of privacy-focused moves from Apple that have come to light as developers digest the wealth of material offered at last week's Worldwide Developers Conference.

Most visible among those change is iOS 8's new "While Using" location privacy option. The new setting allows users to restrict apps from determining their location unless the app is in active use, preventing apps from collecting location data in the background unless explicitly authorized to do so.




Also new in iOS 8 is support for DuckDuckGo, an alternative search engine that promises not to track its users' searches or internet history. Additionally, Apple has opened the iPhone 5s's Touch ID authentication system for use by third-party apps, further enhancing security while increasing convenience.

Taken together, Apple's recent moves suggest a renewed focus on security and privacy that could pay dividends as its competitors come under increasingly heavy fire from governments and privacy advocates.
«1

Comments

  • Reply 1 of 37
    bighypebighype Posts: 148member
    These moves are further differentiating Apple away from evil Google's "big brother" model. The choice for consumers will be pretty simple: you either buy Apple gear that's safe and designed to protect your privacy or you pick Google's gear that's designed to spy on you since that's how Google makes money.
  • Reply 2 of 37
    cpsrocpsro Posts: 2,428member

    Another way to look at this might be that if accurate tracking of iOS users is desired, a fee-based agreement with Apple must be made.

  • Reply 3 of 37
    solipsismxsolipsismx Posts: 19,566member
    cpsro wrote: »
    Another way to look at this might be that if accurate tracking of iOS users is desired, a fee-based agreement with Apple must be made.

    Is there any evidence that Apple wants to sell copy these MAC addresses per device and then sell these lists? Wouldn't that also mean the MAC addresses can't truly be random, but rather just give each device a large pull to pull from in order for the lists to still yield accurate results?

    I don't see any reason for Apple to think this paltry gain in sales would outweigh the backlash if they were caught doing this. I think the only reasonable conclusion is that Apple does care about your privacy because they know that will help them sell more devices.
  • Reply 4 of 37
    patsupatsu Posts: 428member
    cpsro wrote: »
    Another way to look at this might be that if accurate tracking of iOS users is desired, a fee-based agreement with Apple must be made.

    They won 't be able to do this of course. It would fly against their historic stance on privacy protection, and future health-related efforts.
  • Reply 5 of 37
    elmoofoelmoofo Posts: 100member
    Google's whole business model is based off of them tracking everything about you, vs this.

    Easy choice.
  • Reply 6 of 37
    nononononononono Posts: 2member

    what's it got to do with google?

     

    mac address randomization simply removes the ability to use the device for certain useful functions that require a known mac address, mac filtering is also a handy way to winnow out chaff in a multi layer security implementation

     

    it will not stop apple tracking you, or me, or anyone else who uses one of it's devices, apple does this, read the privacy policy, you can opt out of certain applications of that tracking, but assuming the privacy policy is accurate you cannot opt out of being tracked, which is ok, it's the 21st century, it's how things are

     

    they're all at it to some extent, tracking consumers to give 'recommendations' is part of apples business

     

    doesn't mean apple is bad

     

    randomizing mac addresses looks more like a cunning attack on competing non-apple tracking vendors, which as a stockholder i applaud

     

    but i'm not fussed either way, it really makes no difference

  • Reply 7 of 37
    solipsismxsolipsismx Posts: 19,566member
    elmoofo wrote: »
    Google's whole business model is based off of them tracking everything about you, vs this.

    Easy choice.

    As privacy gets more and more rare I think companies like Google and Facebook will struggle more and those that don't make their money from ads will find it harder to compete with companies like Apple, which is why I'm surprise Apple doesn't tout these privacy features more.
  • Reply 8 of 37
    formosaformosa Posts: 261member
    Quote:
    Originally Posted by patsu View Post





    They won 't be able to do this of course. It would fly against their historic stance on privacy protection, and future health-related efforts.

     

    Agreed. This random MAC feature makes sense for the forthcoming HealthKit apps. It's bad enough to be bombarded by ads via MAC harvesting (Google), but it's a whole different level of privacy invasion if the ads become "scare tactic" health-related ads ("your blood pressure is too high - buy this now!").

     

    It makes me wonder what Tizen does with Samsung Gear's personal health info.

  • Reply 9 of 37
    cpsrocpsro Posts: 2,428member
    Quote:

    Originally Posted by patsu View Post



    They [Apple] won 't be able to do this of course. It would fly against their historic stance on privacy protection, and future health-related efforts.

    Just like Google won't share such information either.

     

    Apple isn't demonstrating a distinction between it and Google, other than implementing a mechanism that Google hasn't yet for maintaining proprietary tracking data on users.

  • Reply 10 of 37
    nolamacguynolamacguy Posts: 4,758member
    Quote:

    Originally Posted by Cpsro View Post

     

    Another way to look at this might be that if accurate tracking of iOS users is desired, a fee-based agreement with Apple must be made.


     

    theres not data to indicate that, so that way of looking at it would be incorrect.

  • Reply 11 of 37
    nolamacguynolamacguy Posts: 4,758member
    Quote:

    Originally Posted by Cpsro View Post

     

    Just like Google won't share such information either.

     

    Apple isn't demonstrating a distinction between it and Google, other than implementing a mechanism that Google hasn't yet for maintaining proprietary tracking data on users.


     

    please put down the nitrous-filled balloon. your brain needs oxygen...

  • Reply 12 of 37
    It's pretty despicable that this services offer the so called 'free Wi-Fi' model to lure users to get on their networks but they use the MAC address to track everything associated to that user. It's not hard for them to glean enough data on you to make a profile that they can reverse and figure out exactly who you are. I hate that cities like Seattle, Washington; Boulder, Colorado, etc, have all these wifi devices installed in the areas and they can monitor everything you do. No privacy whatsoever!!!
  • Reply 13 of 37
    jonyojonyo Posts: 115member
    I wonder if we'll have any control of this beyond a simple off/on switch. I lock down my multiple wifi networks not only with the usual WPA passwords, but also a MAC address whitelist, so even with the password, unknown devices still can't access my wifi network. It'd be good if I could make my iPhone use the same MAC address when connected to certain wifi networks, and randomize with any other wifi networks.
  • Reply 14 of 37
    rtraillrtraill Posts: 1member
    This will be a huge problem for those whose work authenticates access to the work wifi network by MAC addresses. Does anyone know if this is something a user can turn on or off?
  • Reply 15 of 37
    vaporlandvaporland Posts: 358member
    jonyo wrote: »
    I wonder if we'll have any control of this beyond a simple off/on switch. I lock down my multiple wifi networks not only with the usual WPA passwords, but also a MAC address whitelist, so even with the password, unknown devices still can't access my wifi network. It'd be good if I could make my iPhone use the same MAC address when connected to certain wifi networks, and randomize with any other wifi networks.

    I also use MAC address restrictions to limit access to networks and assign IP addresses via DHCP.

    I'm guessing that iOS will be able to pass actual MAC addresses to designated wifi connection points and spoof the others.

    This is also interesting, in that developers may no longer ascertain the MAC address of network interfaces on iOS devices their apps are installed on...

    This was done to preserve user privacy and prevent unique id / device tracking.
  • Reply 16 of 37
    cpsrocpsro Posts: 2,428member
    Quote:

    Originally Posted by JoshvanHulst View Post



    It's pretty despicable that this services offer the so called 'free Wi-Fi' model to lure users to get on their networks but they use the MAC address to track everything associated to that user. It's not hard for them to glean enough data on you to make a profile that they can reverse and figure out exactly who you are. I hate that cities like Seattle, Washington; Boulder, Colorado, etc, have all these wifi devices installed in the areas and they can monitor everything you do. No privacy whatsoever!!!

    Apple is closing down this avenue, so only Apple will know your whereabouts... and can improve iAds and iBeacons accordingly. I expect Google will do the same. Neither company likes to entertain freeloaders of the data they collect on users.

  • Reply 17 of 37
    anomeanome Posts: 1,222member
    I think that MAC address randomisation is a good idea, but I would want to know how it's going to work in specific instances.

    Where I live, I'm within range of somewhere around 40 wifi networks. I use MAC address filtering to keep strange devices off my network, and don't broadcast my SSID partly out of politeness (so there aren't 41 networks showing up for my neighbours).

    How is a random MAC address going to work for me? Even if it knows to broadcast it's "real" MAC address to my home network, it doesn't necessarily know when it's in range of my home network. Am I going to be forced to turn off some part of my security system in order to get my iPhone 6 to work?

    I suppose, you could do some elaborate hand-shake where it probes for the home SSID with a random MAC address, then when it gets the rejection switches to the real one, but that seems to be overcomplicating things. Another option could be to geo-fence your home network, but that may not be terribly reliable...
  • Reply 18 of 37

    I definitely agree with you. I am sure the MAC address masking will be circumvented somehow by advertisers and the like. I really hope someone  makes a tweak that can hide the MAC address and also default Tor protection

  • Reply 19 of 37
    solipsismx wrote: »
    As privacy gets more and more rare I think companies like Google and Facebook will struggle more and those that don't make their money from ads will find it harder to compete with companies like Apple, which is why I'm surprise Apple doesn't tout these privacy features more.

    These features only exist in the pre-release software for iOS8. You talk like it's already out there being used.

    When iOS8 is released along with the new iPhones, THEN it will be news.
  • Reply 20 of 37
    solipsismxsolipsismx Posts: 19,566member
    These features only exist in the pre-release software for iOS8. You talk like it's already out there being used.

    When iOS8 is released along with the new iPhones, THEN it will be news.

    This isn't the first time Apple has failed to put in the limelight something I felt was noteworthy for security. Do you want to make a bet on whether devotes presentation time to this feature when they go over iOS 8 again during the iPhone/iPad special event?
Sign In or Register to comment.