How do location-based apps avoid getting cheated by emulated GPS?

  • Some apps like Foursquare require the user to "check in" at physical places, in order to gain money benefits.

    Given that emulated GPS are available for customized versions of Android, it sounds easy to trick such apps.

    Given the monetary incentives, I am sure many people have tried, so how do apps prevent GPS cheating?

    I've never seen anyone 'gaining money' by checking in on foursquare. Can you elaborate this?

    You can get sometimes get a discount or other benefit after checking in many times (roughly), which is a kind of money benefit.

    And there are competitions that are location based. And location based alibis could be of value to criminals...

    @RoryAlsop, In terms of legal alibis, most law enforcement departments have a digital forensic unit that can generally uncover the true location of a suspect. Moreover, with a warrant, LE can bypass the phone and just look at cell tower usage. Bottom line, unless you are good (real good), I wouldnt try any of this in court.

    Matthew - too bad it's much easier to spoof and commit fraud this way than to prove it was fraud :-(

    "spoofing" of data sent by clients is fundamentally impossible to *prevent*, it's better to not take any location data from clients as a proof of anything. Even if the environment is an iOS-like jail, someone will probably crack it and regain freedom to modify any code on client side.

    GPS spoofing is mostly catched by observing patterns. For example you can get banned from geo location based games if you move faster than a fast vehicle.

  • There are many ways to track user's location on a mobile device (I will go into how that works later).

    None of the tracking methods are particularly easy to spoof. It can be done but it is simply outside of the realm of the average user as it generally requires either a modified device (physically or programmatically) or external gear.

    Moreover, it is far easier for developers to simply tie multiple forms of tracking with simple logic (IE you can only 'check in' x number of times within timeframe y) than it is for a hacker to spoof an app like foursquare and get that 5% discount on dinner. Once again, it can be done, but [my theory is] so far it is not economical to hackers.

    As promised, here are a few of the big technologies leveraged in geographic tracking:

    • GPS Reporting. This is probably most familiar to you. It is the most 'expensive' report because it requires relatively large amounts of power to read several GPS satellites. A pure GPS system is rarely used on mobile devices today. GPS devices can be spoofed programmatically (by changing the software's call to the GPS driver's position) even without modifying a device at all (as seen here).
    • GSM Reporting. This is perhaps the most common way your location is tracked through the day while you are moving around. The concept is simple. Your phone, with normal messages to the cell towers nearby, triangulates your position at a given time. This method is extremely hard to spoof without external hardware or seriously altering your phone's functionality (IE if you spoof a cell tower then yes you are 'not tracked' geographically, but you also cannot make phone calls). Additionally, cell traffic is encrypted. You could potentially spoof the access point where the apps software talks to the phone's cell tower data driver, but that is also difficult to say the least.
    • LAN Reporting. This is a pretty cool concept because it provides high levels of accuracy indoors (something that has traditionally been an issue). This requires much setup but at a minimum would allow apps to talk to registered wifi hotspots to confirm your location based on which wifi you are connected to. This is theoretically possible to spoof but it would largely depend on the levels of encryption for the legitimate connection's signature.
    • WAN Reporting. This is nothing more than simple IP address reporting. This is perhaps the easiest to spoof, but I put it in here for completeness as it is very common to mobile friendly sites.
    • Others (Bluetooth, RFID, Inertial nav, experimental, etc) There are quite a few other methods out there. One of my favorites is Inertial Navigation where there are no external transmissions (thus potentially very difficult to spoof) as it uses internal sensors and map to ascertain your position. This is seen in missile guidance systems as well as some apps. Life360 for instance uses a variation of this as it uses very little power (all the sensors are already active).

    Other things to remember:

    • Developers can leverage any number of these technologies, thus making an app even harder to spoof.
    • Most location data is stored on a mobile device (and sometimes in many places) until explicitly deleted. Thus a developer can (potentially) access previous location data points. So if you say you were at cafe mama's 20 times todays and the app simply talks to siri to find out your last geo-data point was 100 miles away, the app will wonder...
    • Law Enforcement would have far greater ability to determine your real location so just because you may have spoofed an app doesn't mean you should bet your life on it (some comments elsewhere suggested that you could use this spoofing nefariously, so I thought I'd toss this in here).

    It actually is very easy to spoof a location under Android & iOS.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM