In early 2015, architects of Google's Android mobile operating system introduced a new feature that was intended to curtail the real-time tracking of smartphones as their users traversed retail stores, city streets, and just about anywhere else. A recently published research paper found that the measure remains missing on the vast majority of Android phones and is easily defeated on the relatively small number of devices that do support it.

Like all Wi-Fi-enabled devices, smartphones are constantly scanning their surroundings for available access points, and with each probe, they send a MAC—short for media access control —address associated with the handset. Throughout most of the history of Wi-Fi, the free exchange of MAC addresses didn't pose much threat to privacy. That all changed with the advent of mobile computing. Suddenly MAC addresses left a never-ending series of digital footprints that revealed a dizzying array of information about our comings and goings, including what time we left the bar last night, how many times we were there in the past month, the time we leave for work each day, and the route we take to get there.

Eventually, engineers at Apple and Google realized the potential for abuse and took action. Their solution was to rotate through a sequence of regularly changing pseudo-random addresses when casually probing near-by access points. That way, Wi-Fi devices that logged MAC addresses wouldn't be able to correlate probes to a unique device. Only when a phone actually connected to a Wi-Fi network would it reveal the unique MAC address it was tied to. Apple introduced MAC address randomization in June 2014, with the release of iOS 8. A few months later, Google's Android operating system added experimental support for the measure. Full implementation went live in March 2015 and is currently available in version 5.0 through the current 7.1; those versions account for about two-thirds of the Android user base.

Newly published research, however, has found Android's MAC randomization to be largely absent. Of the roughly 960,000 Android devices that were scanned over a two-year period, fewer than 60,000 of them—and very possibly as few as 30,000 of them—randomized their addresses, even when running OS versions that supported the feature. (The researchers know only that they received about 60,000 randomized MAC addresses from Android phones. They presume that in at least some cases, two or more of the randomized addresses belonged to the same phone.) Equally alarming, of the six percent of Android phones the researchers saw providing randomization, virtually all of them periodically sent out probes using their unique MAC address, a flaw that largely rendered the measure useless. The only model researchers found to do randomization correctly was the Cat S60. In sharp contrast, virtually all of the iOS devices observed by the researchers provided robust randomization.

False sense of security

Travis Mayberry, a professor at the US Naval Academy and one of the authors of the paper, wrote in an e-mail:

Our research contains two important results for the average user: 1) it turns out that most Android phones simply do not have this technology enabled, despite the fact that they are running new versions of the operating system that should allow for it and 2) there are many weaknesses in the way randomization is implemented that make it easy to circumvent. This leaves people with a false sense of security because they think this technology is protecting them from tracking when actually it is not.

The biggest problem with phones that have randomization enabled is that with the exception of the Cat S60, they regularly reveal their hardware MAC address even when they're not associated with the access point they're communicating with. It's not clear why this happens. In a paper titled "A Study of MAC Address Randomization in Mobile Devices and When it Fails," the researchers wrote:

In our lab environment we observed that in addition to periodic global MAC addressed probe requests, we were able to force the transmission of additional such probes for all Android devices. First, anytime the user simply turned on the screen, a set of global probe requests were transmitted. An active user, in effect, renders randomization moot, eliminating the privacy countermeasure all together. Second, if the phone received a call, regardless of whether the user answers the call, global probe requests are transmitted. While it may not always be practical for an attacker to actively stimulate the phone in this manner, it is unfortunate and disconcerting that device activity unrelated to WiFi causes unexpected consequences for user privacy.

The researchers said the probes advertising that hardware-connected MAC addresses can be made even when Wi-Fi is turned off, for instance, when Wi-Fi-based location settings are enabled.

Even when Android devices aren't showing their global MAC address, the researchers found other ways to identify individual phones. One of the most effective methods is to fingerprint probe requests based on what are known as "information elements" that are included in addition to the randomized MAC address. These elements are used to advertise various attributes of a phone and are generally used to implement extensions and special features to run on top of the standard Wi-Fi protocol.

Since every model of phone has unique capabilities, the combination of these tags creates a unique signature that can single out the phone from a group of phones, even when it's using random MAC addresses. Even though the MAC address changes, the tags stay the same. The researchers said they borrowed the fingerprinting technique from an earlier research but also went on to refine it. In their paper, they wrote:

We observe that most Android devices use different signatures when randomizing compared to when using a global MAC address. As such, previously described signature-based tracking methods fail to correlate the addresses. Using our decomposition of Android randomization schemes, and the derived knowledge of how distinct bins of devices behave, we properly pair the signatures of probe requests using global and randomized MAC addresses. Only by combining these signatures are we able to accurately and efficiently retrieve the global MAC address.

The researchers said the refined fingerprinting technique defeats randomization in 96 percent of Android phones that have the privacy feature implemented.

Other ways to defeat Android randomization included what's known as a Karma attack, in which an attacker access point uses the same SSID as one belonging to a Wi-Fi network that a target phone is set up to automatically connect to. Because randomization stops as soon as a device connects to an access point, the attacker is able to obtain the phone's global MAC address. Attackers have long been known to exploit this weakness by giving access points names such as attwifi, xfinitywifi, starbucks that many phones automatically connect to whenever the networks are available. In many cases, the attack is made worse by carriers or manufactures that automatically preconfigure phones to certain access points, the researchers said.