Skip to main content

iOS 8's location-tracking protections aren't as powerful as predicted

iOS 8's location-tracking protections aren't as powerful as predicted

Share this story

In June, researchers discovered an unexpected feature in iOS 8 that seemed to offer new protections against location-tracking. But now that the new operating system is trickling out to customers, many marketers are saying it won't even slow them down. As it turns out, Apple's big privacy win isn't as big as we thought.

The new iOS feature focuses on a phone's MAC address, a persistent ID used by mobile devices when scanning for open Wi-Fi signals. In recent years, marketers have started using MAC addresses to track people in stores and malls, pulling data even when the phone is in sleep mode. Privacy advocates don't like it, and iOS 8 seemed to offer a simple fix: When the phone was in sleep mode, it would offer a phony MAC address, chosen at random and completely unconnected to the phone itself. Unearthed by researcher Frederic Jacobs, the feature seemed to offer a simple technical fix to a tricky privacy problem.

Apple's big privacy win isn't as big as we thought

Not so fast, say marketers. Airtight Networks, which performs MAC-based location tracking for clients, has been examining iOS 8's MAC spoofing feature in the wild, and the firm has come away unimpressed. Getting MAC-spoofing to work in practice requires a delicate combination of settings, which Airtight says will severely limit the real-world impact of the feature. Both cellular data service and iOS's Location Services setting must be switched off, both of which will seriously diminish the capabilities of the user's phone. Turning off Location Services will disable the phone's GPS and a host of related functions, while switching off cellular data will limit any internet access to Wi-Fi only. The feature also won't work on the iPhone 5, or anything from a previous generation, and iPad Minis also seem to be be missing the feature. Finally, the nature of the spoofing means it only works in sleep mode, so as soon as a phone's screen lights up, any protection from MAC spoofing is lost.

Those restrictions alone will rule out most users, but Airtight says marketers should be able to work through data even if MAC spoofing is in effect. "It’s easy to weed out the random MACs from real MACs because they use special signatures," says Hemant Chaskar, a VP at Airtight. "So if you want to sanitize the sample set before doing your big data analysis, that is possible."

As a result, it seems likely the vast majority of iPhone users will miss out on these protections, and the location-tracking industry will be relatively unaffected by the changes. iOS 8's MAC spoofing features could still pave the way for stronger protections down the road, but it's far from the big blow for privacy that many had expected this summer.

ICYMI:iOS 8 Review