In early 2015, architects of Google’s Android mobile operating system introduced a new feature that was intended to curtail the real-time tracking of smartphones as their users traversed retail stores, city streets, and just about anywhere else. A recently published research paper found that the measure remains missing on the vast majority of Android phones and is easily defeated on the relatively small number of devices that do support it.
Like all Wi-Fi-enabled devices, smartphones are constantly scanning their surroundings for available access points, and with each probe, they send a MAC—short for media access control—address associated with the handset. Throughout most of the history of Wi-Fi, the free exchange of MAC addresses didn’t pose much threat to privacy. That all changed with the advent of mobile computing. Suddenly MAC addresses left a never-ending series of digital footprints that revealed a dizzying array of information about our comings and goings, including what time we left the bar last night, how many times we were there in the past month, the time we leave for work each day, and the route we take to get there.
Eventually, engineers at Apple and Google realized the potential for abuse and took action. Their solution was to rotate through a sequence of regularly changing pseudo-random addresses when casually probing near-by access points. That way, Wi-Fi devices that logged MAC addresses wouldn’t be able to correlate probes to a unique device. Only when a phone actually connected to a Wi-Fi network would it reveal the unique MAC address it was tied to. Apple introduced MAC address randomization in June 2014, with the release of iOS 8. A few months later, Google’s Android operating system added experimental support for the measure. Full implementation went live in March 2015 and is currently available in version 5.0 through the current 7.1; those versions account for about two-thirds of the Android user base.