2

What algorithm or set of heuristics can a server and a mobile app use so that the server can always be fairly certain that the app is used within the boundaries of a given geographic region (e.g. a country)? How can the server ensure that app users outside of the defined region can not falsely claim that they are inside the region?

Jordan Dimov
  • 1,268
  • 12
  • 26

3 Answers3

1

You can't be 100% sure that user isn't reporting a fake location, you can only make the process of faking it as difficult as possible. You should implement several checks depending on the data you have access to:

1) user's IP address (user can use a proxy)

2) device's gps coordinates (they can be spoofed)

3) the locale of the device (isn't a reliable indicator)

One of the most secure checks (but also not 100%) is sending user an SMS with the confirmation code, which he has to type in the app.

One of the most sophisticated algorithms known to me is in the Google Play (so some apps can only be available only certain countries). It checks such parameters as IP address, user's mobile operator and several others, but there are tools (like Market Enabler) and techniques that can trick the system.

bzz
  • 5,556
  • 24
  • 26
  • How does the SMS help to know whether he's in the country or not? – Jordan Dimov Jan 29 '15 at 10:55
  • @JordanDimov You can send confirmation codes only to numbers starting with the specific country code. It should be done one time when activating user account. That way you can be sure that every user is in the possession of an active SIM-card from that specific country. Although user can travel to that country and get a local SIM-card or ask someone from that country to receive a confirmation SMS, this confirmation can greatly improve security (in case when other checks like for IP-address are implemented during every connection). – bzz Jan 29 '15 at 15:46
1

If you dont want to use Google Play or other ways, the best way (I say best because it first costs nothing performance-wise and cost-wise, and secondly it is easy to use and and thirdly you need it anyway if you expect large number of users - it provides nice tools and static cache, optimizer, analytics, user blocking, country blocking etc) is to use cloudflare.

Once you signup for a free cloudflare account, you can set up your server public IP address there so that all traffic is coming through cloudflare proxy network.

After that everything is pretty straightforward, you can install cloudflare module in your server .

In your app, you can get country code of the visitor in the global server request variable HTTP_CF_IPCOUNTRY - for example, $_SERVER['HTTP_CF_IPCOUNTRY'] in PHP. It will give you AU for Australia. (iso-3166-1 country codes). It doesnt matter what language you use.

Coudflare IP database is frequently updated and seems very reliable to detect user's geolocation without performance overhead.

You also get free protection from attacks, get free cache and cdn features for fast-loading etc.

I had used several other ways but none of them was quite reliable.

If you app runs without a server, you cstill pout a file to a server and make a call to the remote url to get country of the user at each request.

Selay
  • 6,024
  • 2
  • 27
  • 23
0

apart from things that @bzz mentioned. you can read the wifi SSID of user wifi networks, services like http://www.skyhookwireless.com/ provides api( i think with browser plugins, i am not sure) which you can use to get location by submitting the wifi SSID. if you need user to be within specific region all the time when using the app you ll probably end up using all the options together, in case you just need one time check, SMS based approach is the best one IMO.

for accessing wifi SSID , refer to this, still you can not be 100% sure.

Community
  • 1
  • 1
Kamal
  • 1,122
  • 11
  • 18