iOS 8 won’t spill your unique device identifier to any router that asks

A unheralded tweak in iOS 8 is either a huge boon for privacy or a trojan horse to make iBeacon more relevant, depending on your point of view. Last week at WWDC 2014, developers learned that iPhones running iOS 8 will no longer need to provide their unique MAC hardware identifier when looking for networks, but can provide a random, software-generated address instead.

A lot of iPhone users leave Wi-Fi on, and continually ping networks with the phone’s Media Access Control address. However, just because your phone is looking for a wireless network doesn’t mean that router needs your actual unique identifier, because most of the time, the device has no intention to actually connect. According to a slide from a WWDC session, Apple is changing the iPhone’s scanning behavior to use “random, locally-administrated MAC addresses” for both probe requests and probe responses. When the iPhone and iPad actually connects to the network, it will use its burned-in MAC address, so Apple devices will still work with networks that only allow access to previously registered and whitelisted MAC addresses.


Presumably, the issue with handing out MAC addresses like candy is that there is no permission needed from the user to hand over that identifier, and this means marketers and businesses can do a sort of reverse war-driving. By collecting as much data as possible from phones that pass by a Wi-Fi access point, it’s possible to add location data to already-sophisticated customer databases.

Last year, the New York Times published an article on its front page about how stores like Nordstrom and Nomi exploit this loophole to better target ads and services: if someone signs up for a coupon or downloads an app while on store Wi-Fi, the store can then connect the MAC address of a particular phone to what it already knows about the customer.

The salient difference between this type of MAC-based targeting and Apple’s iBeacon project is when the protocol explicitly asks for permission. When a device is probing for networks, it provides its MAC address as a matter of course. Apple’s location-based iBeacon gives the user an opportunity to opt-out: the phone needs an installed app to listen for the iBeacon, instead of automatically providing device information as part of networking protocol. Of course, Apple is introducing a GPS-based feature to prompt users to install just those apps.

Apple’s iOS 8 operating system was announced at WWDC last week and will be available to the public this fall.