MAC Address Randomization: How Phones Try (and Often Fail) to Hide on Wi-Fi

For most of Wi-Fi's history, every device broadcast a permanent hardware address that retailers, airports, and ad networks built location-tracking businesses on top of. Modern phones randomize that address — but the randomization has more holes than the marketing implies.

Every Wi-Fi radio has a MAC address — a 48-bit identifier burned in at the factory. The first 24 bits identify the manufacturer (Apple, Samsung, Qualcomm); the remaining 24 bits are device-unique. For two decades, when your phone walked into a coffee shop, it announced this address to the world by broadcasting probe requests asking "anyone here named MyHomeNetwork?" The shop's analytics router noted the request, logged the timestamp, and started building a profile.

Multiply that by every shop, every transit station, every airport gate, every shopping mall. Whole companies — Euclid Analytics, Path Intelligence, Walkbase, RetailNext — built businesses on cross-referencing MAC addresses across networks. A device walking past the same set of shops every weekday morning is a unique pattern; a device that appeared at a clinic last Tuesday is identifiable.

The Probe Request Problem

Probe requests are not optional. When your Wi-Fi is on and you are not connected to a network, your device periodically broadcasts probe requests to discover available networks. Historically these requests included two pieces of information: your MAC address, and the SSIDs of networks your device remembered ("MyHomeNetwork", "OfficeWifi", "Starbucks WPA2", "Mom's House"). The SSID list alone is often enough to identify someone — your remembered network history is essentially unique.

The dual leak

Pre-randomization, a phone broadcast both a permanent identifier (MAC) and a partial life history (SSID list) every few seconds, to anyone with a Wi-Fi card in monitor mode. Both pieces individually were enough to track or identify; together they were a fingerprint.

How Randomization Works

iOS introduced MAC randomization in iOS 8 (2014) but only for probe requests, not associations. Android added it in version 8.0 (2017) with a similar limitation. The substantial upgrades came later:

iOS 14 (2020): A unique randomized MAC per saved network, persistent across reconnections to that network but different from every other network. Probe requests use rotating random MACs.
Android 10+: Per-network randomized MAC by default for saved networks; rotating randomized probes.
Android 12+: Optional "non-persistent" mode that rotates the randomized MAC even within the same saved network, on intervals (typically 24 hours).

The design has a clear logic: a stable MAC is required to reconnect to a network you have authorized, because access control lists, captive portals, and DHCP leases need to recognize you. So the randomized MAC is stable within a network but different across networks. Probe requests, which are inherently unauthenticated and don't need any continuity, are randomized aggressively.

The Holes

MAC randomization is one of the better mobile-privacy improvements of the last decade. It is also imperfect, and the gaps are well-documented in the academic literature.

Hole 1: Information element fingerprinting

Probe requests contain more than a MAC and a SSID list. They include "information elements" describing supported radio capabilities — exact rate sets, HT/VHT/HE capabilities flags, vendor-specific extensions. Different chipset/firmware combinations produce slightly different IE strings. A 2017 paper (Vanhoef et al., "Why MAC Address Randomization is Not Enough") showed that the IE fingerprint alone is often unique enough to track devices across MAC rotations.

Hole 2: Sequence number tracking

The 802.11 frame header includes a 12-bit sequence number that increments with each frame. Frames sent by the same radio in quick succession will have consecutive sequence numbers, even if the MAC changed between them. An observer watching closely can link MAC-randomized frames back together via the sequence-number sequence.

Hole 3: Timing analysis

Probe-request timing is not random — devices have characteristic intervals between probes that depend on their power-management state. Combined with the IE fingerprint and sequence numbers, the timing distribution is another linkage signal.

Hole 4: SSID fingerprinting after association

Once you join a network, your randomized MAC is per-network — stable for as long as that network knows you. If you join the same shop's free Wi-Fi twice a week for months, that randomized MAC reliably identifies you to that shop. The randomization protects you across different networks, not within the same network over time.

Hole 5: The bypass switch

Both iOS and Android let users (and, more importantly, some apps and configurations) disable MAC randomization per network. Enterprise networks often demand a stable MAC for RADIUS authentication; some captive portals break under randomization. The user-friendly defaults are good, but the off switch exists and gets flipped.

What Defenders Have Done About It

Some of the gaps have been closed in practice:

iOS 16+ randomizes sequence numbers alongside MAC rotations to break the sequence-linking attack.
Android 13+ includes mitigations for information-element fingerprinting in probe requests on newer chipsets, reducing the diversity of fields that ride along.
Wi-Fi 7 (802.11be) includes additional privacy provisions in the standard itself, though deployment is still rolling out.

Independent research continues to find new fingerprinting vectors. The cat-and-mouse pattern is familiar from browser fingerprinting: as one identifier gets randomized, attackers find another.

What You Can Actually Do

Practical steps that go beyond the defaults:

Verify randomization is on for every saved network. iOS: Settings → Wi-Fi → tap (i) next to a network → "Private Wi-Fi Address" should be enabled. Android: Wi-Fi settings → tap network → Privacy → "Use randomized MAC."
Forget public networks you no longer use. Each saved network is a long-term identifier and a probe-request leak.
Turn Wi-Fi off when not actively using it. The OS controls are improving, but the only sure-fire way to stop broadcasting is to stop broadcasting.
On Android 12+, enable non-persistent MAC for sensitive networks (per-network setting). Some networks will reject this; use it where you can.
For higher threat models, consider a dedicated travel device with a fresh OS and no saved networks from your home life.

MAC randomization made bulk Wi-Fi tracking meaningfully harder. It did not make it impossible. A stationary radio with monitor-mode capabilities and good signal processing can still link the same device across MAC rotations through secondary signals — but the cost of doing so at scale across every retailer in a country has gone up.

Where Haven Fits

MAC-layer privacy is a different layer from messenger privacy — Haven cannot help with what your radio broadcasts. But the same threat-modeling discipline applies: marketers, ad networks, and surveillance vendors will identify you through whatever identifiers your devices emit, and the only durable defense is to emit fewer of them.

What Haven does is reduce the number of accounts, addresses, and identifiers you keep in the broader ecosystem. Integrated encrypted email and chat under one identity means one fewer dataset for someone to cross-reference, with content the provider cannot read. Combine that with strong defaults at the OS and network layer — randomization on, Wi-Fi off when idle, public networks forgotten — and you make the bulk-tracking economy work harder for the same data.