25

It looks like starting with iOS 10.2, Apple has now prevented access to all MAC addresses, not just the one of your own device.

However, there are some apps in the store that seem to manage that still, .e.g Fing and Net Analyzer. Are these still working because they were compiled against an older SDK or do they have special tricks to gather the MAC address?

Can anyone share a work-around to get the MAC addresses for iOS 10.2 devices on WiFi?

DrMickeyLauer
  • 4,455
  • 3
  • 31
  • 67
  • 1
    Hopefully this is a defect since it seems a bit extreme. There may be another way to access the arp table via a PF_ROUTE socket or other mechanism. My app stopped working and was built pre iOS 10.2, so I don't think it's related to libraries. Fing is very fast to find MACs, so my guess is they have another route or some sort of entitlement which removes the sandbox. Nothing shows up on Wireshark which would suggest use of network protocols. A possible is they can read ARP replies but that normally needs a raw socket. – Rory McKinnel Dec 30 '16 at 11:23
  • 1
    I asked the fing guys via E-Mail, but they didn't respond yet. Will update the issue when I get anything. – DrMickeyLauer Dec 30 '16 at 12:17
  • Facing the same problem. Interesting fact is the struct that gets returned from the arp table lookup still has the other details like socket_type, socket_family and address_length, but the address_data is NULL. I wonder why return a valid address_data_length and then return an address_data array containing NULL values !! – Debaprio B Dec 30 '16 at 22:11
  • This is being closely tracked on another thread: http://stackoverflow.com/questions/31226522/ios-get-arp-table as well as in a GitHub project: https://github.com/mavris/MMLanScan/issues/3#issuecomment-267268987 – ecume des jours Dec 31 '16 at 23:33
  • Can anyone explain WHY Apple aims to prevent programs from getting that information? I know this is not directly related to the question, but I am curious now... – BitTickler Jan 12 '17 at 04:05
  • Is it related to this? http://appleinsider.com/articles/14/06/09/mac-address-randomization-joins-apples-heap-of-ios-8-privacy-improvements – BitTickler Jan 12 '17 at 04:13
  • @BitTickler It's probably just because being able to get someone else's MAC address is some kind of potential violation of privacy. – Jon Jan 23 '17 at 21:54

1 Answers1

14

This is only test code, just to give an idea for how to get the Mac address. But I am sure Apple will soon close this option.

-(void) jan_mac_addr_test:(const char*) host
{
    #define BUFLEN (sizeof(struct rt_msghdr) + 512)
    #define SEQ 9999
    #define RTM_VERSION 5   // important, version 2 does not return a mac address!
    #define RTM_GET 0x4 // Report Metrics
    #define RTF_LLINFO  0x400   // generated by link layer (e.g. ARP)
    #define RTF_IFSCOPE 0x1000000 // has valid interface scope
    #define RTA_DST 0x1 // destination sockaddr present
    int sockfd;
    unsigned char buf[BUFLEN];
    unsigned char buf2[BUFLEN];
    ssize_t n;
    struct rt_msghdr *rtm;
    struct sockaddr_in *sin;
    memset(buf,0,sizeof(buf));
    memset(buf2,0,sizeof(buf2));

    sockfd = socket(AF_ROUTE, SOCK_RAW, 0);
    rtm = (struct rt_msghdr *) buf;
    rtm->rtm_msglen = sizeof(struct rt_msghdr) + sizeof(struct sockaddr_in);
    rtm->rtm_version = RTM_VERSION;
    rtm->rtm_type = RTM_GET;
    rtm->rtm_addrs = RTA_DST;
    rtm->rtm_flags = RTF_LLINFO;
    rtm->rtm_pid = 1234;
    rtm->rtm_seq = SEQ;


    sin = (struct sockaddr_in *) (rtm + 1);
    sin->sin_len = sizeof(struct sockaddr_in);
    sin->sin_family = AF_INET;
    sin->sin_addr.s_addr = inet_addr(host);
    write(sockfd, rtm, rtm->rtm_msglen);

    n = read(sockfd, buf2, BUFLEN);
    if (n != 0) {
        int index =  sizeof(struct rt_msghdr) + sizeof(struct sockaddr_inarp) + 8;
        // savedata("test",buf2,n);
        NSLog(@"IP %s ::     %2.2x:%2.2x:%2.2x:%2.2x:%2.2x:%2.2x",host,buf2[index+0], buf2[index+1], buf2[index+2], buf2[index+3], buf2[index+4], buf2[index+5]);

    }
}
mochasoft
  • 391
  • 1
  • 4
  • 3
    This is the correct answer for now, and is derived from a crucial tip by "wadecong" over on github. Both users deserve a ton of credit for their work and willingness to share it. I also hope that this cat and mouse game around arp table access will lead Apple to address the issue with a more intelligent approach, such as Entitlements. There are legitimate cases where the use of MAC addresses can provide for a better user experience without compromising privacy or security. – ecume des jours Jan 12 '17 at 16:14
  • 1
    Just add a close(sockfd) and ensure you are freeing the buffers and it works perfectly. – Debaprio B Jan 18 '17 at 19:35
  • sorry i'm a noob. What value should I pass to the argument 'host' in this method? Also, where exactly should I implement this method in my iOS project? – rak appdev Jan 30 '17 at 04:27
  • 1
    And this loophole has been closed in 10.3 beta. :( – DrMickeyLauer Mar 03 '17 at 08:40
  • @DrMickeyLauer, seems like :( – blganesh101 Mar 24 '17 at 18:43