The new MAC address randomization feature in iOS 8 is just one of a battery of new privacy features Apple is introducing. It’s part of an Apple push to make mobile app developers more aware of enduser privacy and to give them iOS tools to make privacy-related app actions clearer, so that users can allow them or not.
A young Swiss security researcher, Frederic Jacobs (@FredericJacobs) apparently was the first to tweet about one of the new privacy features: a change in iOS that lets the device’s radio use, in effect, fake MAC addresses when scanning for nearby Wi-Fi networks. When the user decides to associate with a specific network, the device uses its true MAC address.
+Also on Network World: “iOS 8: Way more open to your world”+
That change means that device and user information will be hidden from the network and network-based location tracking applications, while users are simply walking around with their iPhone or iPad Wi-Fi radio turned on but not connected to a given hotspot or WLAN.
But the current beta release of iOS 8 apparently doesn’t yet have this randomization, or if it is, it’s not turned on, according one iOS 8 beta user, Eric Kenny, network and security engineer, Marist College, Poughkeepsie, NY. Presumably that means Apple will add the code for it, or activate it, in a later build prior to the general release of iOS 8, which is expected around September.
“I used a Fluke Networks "OneTouch" [network tester] to capture the probe requests seen over the air and forced my iOS 8 iPhone 5s to scan for available networks,” Kenny says. “The packet capture clearly shows that the phone’s actual burned in MAC address was used to send each probe request and that no randomization occurred.”
Currently, Kenny says, a client Wi-Fi radio probes for nearby networks by sending out “a management frame to known networks (SSIDs) it has connected to in the past, as well as a special SSID called "Broadcast. The device then waits for a probe response which will contain the MAC address of the BSSIDs that are available.”
There has been a trend, especially by retailers, to use the MAC address gleaned from client radios that are scanning automatically for Wi-Fi networks, to learn about customers’ behavior.
Last year, Aerohive Networks announced a partnership with Euclid Analytics, to embed Euclid’s data analysis software with Aerohive’s cloud-based WLAN controller. The change means that Aerohive’s access point, in a clothing or sporting goods store for example, can collect the MAC address in a device’s probe request, along with signal strength and device manufacturer. The MAC address is immediately hashed to anonymize it, so neither Aerohive nor Euclid would be collecting user-specific information, and then encrypted to pass the data to the Euclid software for processing. The software can detect “repeat visitors” to a location, but not their identities.
The goal is to give retailers generalized data about users’ behavior, the number of Wi-Fi devices passing a store compared to the number actually entering the store, according to spokesmen for both companies. The Wi-Fi protocol doesn’t give Euclid access to personal information such as email address or phone number, they said.
In response to the MAC randomization news, Euclid issued a statement today, which in part says: “We fully support Apple's decision to add additional layers of consumer protection by randomizing MAC addresses at the device level. Providing additional privacy safeguards at the device level will help address any lingering privacy concerns with Wi-Fi based analytics. We see a major win-win for retailers looking to deploy mobile locations analytics and the consumers they serve.”
Jacobs’ tweet on MAC randomization featured an image, shown nearby, from an online Apple presentation, “User Privacy on iOS and OS X,” presented at last week’s Worldwide Developers Conference by Apple employees, David Sites and Katie Skinner, both with the Apple Product Security and Privacy group.
That presentation makes it clear that the randomization is one of a number of privacy and data protection changes for developers and users, and that Apple is pushing developers to think carefully about privacy in their apps. Besides the MAC address randomization, these changes include:
+ Family sharing – Up to six people in a family, each with their own Apple account, now can share purchase from iTunes, iBooks and the App Store; all can use one credit card, and parents get to approve a child’s purchase using that card from the parent’s iPhone or iPad. One implication is that there will be “larger number of Apple accounts owned by children.” Apple encourages developers to “consider implications for your app under relevant laws” such as the federal Children’s Online Privacy Protection Act (COPPA).
+ New setting to block all third-party cookies on the Safari browser, “regardless of whether the user has visited the site previously.” Users now can block cookies that are “not from current Website” by selecting that option from Settings>Safari>Block Cookies.
+ Changes to the Address Book UI people picker, for selecting a person, sometimes with accompany information like the person’s email address, from Contacts. In iOS 8, the people picker will have a “new mode that doesn’t prompt the user for access to Contacts.”
The randomization and other changes in iOS 8 are part of trend to give users greater control over their wireless relationships, balancing privacy with personalization, according to Chris Spain, vice president, Product Management, with Cisco’s Enterprise Networking Group.
"Privacy is always of concern when the collection of data occurs,” he says. “When Wi-Fi solutions are deployed to address business problems, organizations such as retailers, hotels, airports, etc., benefit by having the ability to provide a more personalized experience to the consumers, if they opt-in. Properly deployed solutions must have transparent terms and conditions that allow individuals and businesses to make informed decisions.”
The WWDC presentation on user privacy lays great stress on carefully designing the user’s experience of privacy issues and protections. Apple has laid out for developers a mantra called “prompting with purpose” – alerting users when they take an action that has privacy implications, giving them succinct but clear information about what data is being requested, and why, and letting them explicitly grant or refuse permission.
As part of this emphasis, iOS 8 also now adds a new set of purpose strings and privacy keys for developers to use in conjunction with location services, camera, and the new Health Kit data interface. These changes give users new information about privacy risks associated with these resources when they are called by an app.
Another change will let an iOS 8 app steer users directly to the relevant privacy settings on their device for the app they’re using. Location Services in iOS now have two modes for updating a device’s location. Users can select “always” to have the app run continuously even in background, or “when in use” so the updates occur only when the user is working with the app.
In some instances, enterprises can add app restrictions that prevent employees from changing privacy settings.
The MAC randomization apparently will not affect users choosing to associate with a given WLAN, and once they do, the real MAC address does become visible to the network, and to network-based applications that may be looking for it. For example, Aruba Networks’ ClearPass access management application “will end up with the real MAC address as a part of the authentication process and as such should not be affected by the change, says Denzil Wessels, senior product manager at Aruba.
He also thinks that randomization won’t affect Wi-Fi-based indoor location services, such as Aruba’s Meridan app, which uses access point signals to triangulate a mobile device’s position.