Master's Thesis · December 2012

Preventing User and Hardware Tracking in Mobile Devices

Author David Stites
Institution University of Colorado
Degree M.S. Computer Science
Completed December 2012
↓ Read Full Text (PDF) Get in Touch

Summary

Abstract

Mobile devices transmit hardware identifiers — MAC addresses, IMEI numbers, and other persistent signals — that enable third parties to track users across locations, networks, and applications without their knowledge or consent. Over time, these identifiers can be correlated into detailed behavioral profiles that persist even across app uninstalls, factory resets, and carrier changes.

This thesis proposes a privacy-preserving framework that addresses the tracking problem at its root: the hardware identifier itself. By replacing static, persistent hardware addresses with randomly generated, disposable identifiers that rotate on a structured schedule, the framework breaks the correlation chain that makes long-term tracking possible — without sacrificing the functionality that those identifiers provide to the network and operating system.

Motivation

The Problem

Hardware Fingerprinting

Static identifiers like MAC addresses are broadcast continuously and passively, making them trivially easy to capture without user interaction.

Cross-Context Correlation

Advertisers and data brokers aggregate signals across apps, networks, and locations to build persistent behavioral profiles tied to a specific device.

No User Control

Existing privacy controls — app permissions, do-not-track flags — operate at the software layer and cannot prevent hardware-level identification.

Solution

Proposed Approach

  • 01
    Disposable Hardware Identifiers Generate cryptographically random hardware addresses that replace static identifiers at the OS level, making each session unlinkable to previous ones.
  • 02
    Structured Rotation Schedule Rotate identifiers on a schedule calibrated to balance privacy protection against network functionality — frequent enough to prevent tracking, stable enough to maintain connectivity.
  • 03
    Framework Architecture Implement the solution as a system-level framework rather than an app-level control, ensuring coverage across all network interactions regardless of which applications are running.
  • 04
    Backward Compatibility Maintain full compatibility with existing network infrastructure — the framework is transparent to routers, access points, and network services.

Context

Why This Still Matters

This research was completed in 2012, predating widespread public awareness of mobile tracking. Many of its core proposals — particularly MAC address randomization — have since been adopted by major mobile operating systems. Apple introduced MAC address randomization in iOS 8 (2014) and extended it with Private Wi-Fi Address in iOS 14 (2020).

The threat model described in this thesis has only become more relevant as mobile devices have proliferated and advertising ecosystems have grown more sophisticated. The fundamental tension between hardware-layer identification and user privacy remains an active area of systems and security research.