Randomise the WiFi MAC address on your Android device to defeat passive location tracking.
While you're walking around with your WiFi-enabled phone, it's periodically searching for networks to connect to.
The range of WiFi being what it is, this leaks a significant amount of information about where you've been (and also, where you live and work (1)).
A number of advertisers, businesses and analytics companies have realised the value in tracking people using this information. Notable examples that made the press include:
(1): When searching for known networks, phones often send 'probe requests' to BSSIDs of known networks. BSSIDs uniquely identify routers, and mapping providers like Google and Apple have comprehensive databases of router locations thanks to crowd-sourced data from Android and iOS devices.
MacHopper uses the linux ip program to set the public MAC address to a random value at a configurable interval.
To a tracking network, this means your device periodically disappears, and shortly after, a new and apparently different device appears.
- MacHopper can only help protect against 'passive' tracking in which your device is scanning for networks but is not connected.
- Your device may leak other personally-identifiable information as part of network discovery. See "ArsTechica - Anatomy of an iPhone leak" for more information.
- MAC randomisation should be sufficient to defeat naive tracking if done frequently enough, but if it MAC randomisation were to become a serious concern to tracking companies it would be easy to 'join up' disconnected sessions by inference or other leaked information.
- At this stage, MacHopper is only a rough prototype, and has not been tested on many devices. It's likely that support for the
ipcommand varies between manufacturers and firmware versions. To make sure it works on your device, I'd recommend inspecting your network traffic with WireShark. - A better solution would involve OS-level support for randomisation (ala iOS 8). If you're interested, consider starring the Android feature request, but don't hold your breath because better privacy controls are at odds with Google's business model.