Apple randomises MAC addresses in iOS 8, killing off key ad-tracking tool

Apple will introduce a significant boost to privacy for users in iOS 8

With iOS 8, Apple will introduce a significant boost to privacy for users by eliminating the usefulness of a unique device number that advertisers and app developers have used to keep a tab on users.

Apple may have borrowed app data-sharing and widgets from Android to build iOS 8, but the company appears to be drawing a line between the two at privacy.

Communicating changes in iOS 8 to developers at its Worldwide Developers Conference that wrapped up on Friday, Apple revealed it will restrict what data iOS 8 devices will share when they scan for wi-fi networks. It's going to do this by randomising the media access control (MAC) address that is broadcast when devices search for an available wi-fi network.

“In iOS 8, Wi-Fi scanning behavior has changed to use random, locally administrated MAC addresses,” Apple notes.

This means that “the MAC address used for Wi-Fi scans may not always be the device’s real (universal) address,” Apple explains.

Currently all computers emit a device’s MAC address while it searches for available wifi networks and, without too much effort, anyone can see that address. The reason it’s seen as a threat to privacy is because the number is unique, making it a useful way for advertisers to continue monitoring a device owner.

News of the upcoming changes were outed on Sunday by UK-based user interface designer Luis Abreu.

“Remember the London trash cans that collected Wi-Fi MAC addresses? Not possible with iOS 8 as they’re randomized during scanning,” he wrote in a post on Twitter .

The trash cans he referred to were the 100 smart recycling bins that a UK startup called Renew rolled out across London ahead of the 2012 Olympics but only caught the attention of media in mid-2013.

The bins recorded the MAC address of each device that passed by, offering advertisers a map of a person’s movements through the city. At the time, the company’s spokesman told Quartz that it didn’t violate anyone’s privacy because it collected publicly available information, and didn’t link that to the owner’s home address or name. Nonetheless, London City pulled the plug on the smart bins.

While randomising a MAC address might prevent companies like Renew from tracking a person’s movements, Apple has had its eye on the unique identifier for some time for different reasons.

Read more: Apple, Cisco join Microsoft’s fight against US warrant for email stored overseas

On May 1, 2013, Apple began blocking apps that attempt to access an iOS device’s unique device identifier (UDID), which until then had been the most reliable way for advertisers to track users.

Ahead of the ban, as TechCrunch reported in 2012, the MAC address became a popular substitute for UDID since it too was unique and permanent, making it a reliable replacement.

The ban on UDID came as Apple launched its alternative system, Advertiser Identifier (Ad ID). Back then, as it continues to do today, Apple is encouraging developers to adopt its Ad ID, which provides advertisers a unique number associated with each iOS device but offers iOS users an option to “limit ad tracking” and the choice to reset their identifier.

Other privacy changes Apple will introduce with iOS include a new setting to block all third party cookies even if the user has visited a site in the past.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about AppleCSOEnex TestLab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place