Apple randomise MAC addresses with iOS 8 … or did they?

Apple randomise MAC addresses with iOS 8 … or did they?
Posted on | Updated on

Some big news from Apple recently was the announcement that with iOS 8 they would be randomizing MAC addresses of devices when scanning for WiFi. We were all expecting this change as part of the iOS 8 release.


Early testing by Purple WiFi and others has revealed that random MAC addresses are only generated for iPad Air, iPad Mini Retina Display, iPhone 5S, iPhone 5C, iPhone 6 and iPhone 6 Plus. Other devices are not affected even if they have been updated with iOS 8. The random MAC is never used when the phone’s screen is on i.e. not asleep and when it is associated to an AP.

A pattern of actual MAC and random MAC addresses has already been identified, so at this stage it is potentially still possible to track an individual device, regardless of whether it uses iOS 8.

So how does this affect location analytics companies?

Presence analytics allows us to track a device by its MAC address, whether the device is logged in to the WiFi or not, so we can get valuable insights into footfall and use of space within a venue. We collect anonymous data relating to devices, such as how often they have been to a venue, how long they stayed, and their location and movement.

Although it seems clear that the impact of MAC address randomization with iOS 8 has actually been very minimal, it probably won’t stay that way long.

Of course, once a user logs on to the WiFi and provides their consent, the real MAC stands up. Logging on eliminates the effect of MAC address randomization on presence analytics, meaning we can continue to provide the reports via Purple WiFi technology. Encouraging venues to get their customers to log on to the WiFi and provide consent has always been the key part of our business. It ensures that both the venue and the end user benefits from everything our product has to offer and this will continue to be our prime focus.

It’s about privacy, not monetisation… right?

Apple has been telling us that the randomisation of MAC addresses was due to a concern for their customers’ privacy. However, they did not talk about this particular feature of iOS 8 during their WWDC keynote address; instead a tweet by Frederic Jacobs with a slide about MAC address randomisation most likely came out of a developer session. The slide stated that WiFi scanning behaviour in iOS 8 has been changed to use “random, locally administered MAC addresses” which “may not always be the device’s real (universal) address.”

A new Apple privacy page features an open letter from CEO Tim Cook, who writes:

“We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t ‘monetize’ the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you.”

This is Apple’s party line on privacy and monetisation following the iOS 8 release, but they’ve confirmed that the much anticipated Apple watch can track users via bluetooth, iBeacons and Near Field Communication (NFC) technology as they walk around. This means that vouchers and offers can still be sent to your watch – you guessed it, this is monetisation using data from your device.

There will always be speculation and suspicion when it comes to companies like Google, Facebook and Apple. Skeptics are surmising the randomisation of MAC addresses, rather than a tightening up of privacy, is more about Apple losing business to companies who were making a good living out of providing in store heat mapping and analytics, when Apple have their own tracking technology in the iBeacon.

As for us, we couldn’t possibly comment!

© 2024 Purple. All Rights Reserved.