By default, most modern OSes (especially mobile ones) do implement some MAC address randomization policies. Table 1 summarizes current practices for Androiod and iOS at the time of writing RFC9724 (the original source is available here) and also includes updates based on findings from the authors.
+=============================================+===================+
| Android 10+ | iOS 14+ |
+=============================================+===================+
| The randomized MAC address is bound to the | The randomized |
| SSID. | MAC address is |
| | bound to the |
| | Basic SSID. |
+---------------------------------------------+-------------------+
+---------------------------------------------+-------------------+
| The randomized MAC address is stable across | The randomized |
| reconnections for the same network. | MAC address is |
| | stable across |
| | reconnections for |
| | the same network. |
+---------------------------------------------+-------------------+
+---------------------------------------------+-------------------+
| The randomized MAC address does not get re- | The randomized |
| randomized when the device forgets a Wi-Fi | MAC address is |
| network. | reset when the |
| | device forgets a |
| | Wi-Fi network. |
+---------------------------------------------+-------------------+
+---------------------------------------------+-------------------+
| MAC address randomization is enabled by | MAC address |
| default for all the new Wi-Fi networks. But | randomization is |
| if the device previously connected to a | enabled by |
| Wi-Fi network identifying itself with the | default for all |
| real MAC address, no randomized MAC address | the new Wi-Fi |
| will be used (unless manually enabled). | networks. |
+---------------------------------------------+-------------------+
Table 1: Android and iOS MAC Address Randomization Practices
In September 2021, we performed some additional tests to evaluate how OSes that are widely used behave regarding MAC address randomization. Table 2 summarizes our findings; the rows in the table show whether the OS performs address randomization per network (PNGM according to the taxonomy introduced in Section 6 of RFC9724), performs address randomization per new connection (PSGM), performs address randomization daily (PPGM with a period of 24 hours), supports configuration per SSID, supports address randomization for scanning, and supports address randomization for scanning by default.
+=================+===============+=========+=========+=====+
| OS | Linux (Debian | Android | Windows | iOS |
| | "bookworm") | 10 | 10 | 14+ |
+=================+===============+=========+=========+=====+
| Random. per net.| Y | Y | Y | Y |
| (PNGM) | | | | |
+-----------------+---------------+---------+---------+-----+
+-----------------+---------------+---------+---------+-----+
| Random. per | Y | N | N | N |
| connec. (PSGM) | | | | |
+-----------------+---------------+---------+---------+-----+
+-----------------+---------------+---------+---------+-----+
| Random. daily | N | N | Y | N |
| (PPGM) | | | | |
+-----------------+---------------+---------+---------+-----+
+-----------------+---------------+---------+---------+-----+
| SSID config. | Y | N | N | N |
+-----------------+---------------+---------+---------+-----+
+-----------------+---------------+---------+---------+-----+
| Random. for | Y | Y | Y | Y |
| scan | | | | |
+-----------------+---------------+---------+---------+-----+
+-----------------+---------------+---------+---------+-----+
| Random. for | N | Y | N | Y |
| scan by default | | | | |
+-----------------+---------------+---------+---------+-----+
Table 2: Observed Behavior in Different OSes (as of September
2021)
According to "MAC Randomization Behavior", starting with Android 12, Android uses non-persistent randomization in the following situations: