1

I'm designing a location-based service where reliability plays a role. I wish my users to know that the provided location of other users is real.

I researched mock locations a bit, and noticed in this thread the app LocationSpoofer. I don't have a rooted phone currently, but it states that when rooted it can mock locations even without the setting.

Is there any known way to protect against that? I could use some simple heuristic to verify that the user didn't travel from France to Hawaii in 30 minutes, but I would rather have complete protection.

Thanks ahead!

Community
  • 1
  • 1
SirKnigget
  • 3,614
  • 2
  • 28
  • 61

2 Answers2

1

Instead of a long comment:

"reliability plays a role"

As long as your provide reliable output for "reliable" input i think you will be OK without having to handle 'spoofed' or fake input. In case you have data stored in persistent storage you could handle cases for 'suspicious' data.

That is define and apply scenarios on your data to identify cases like "the user traveled from France to Hawaii in 30 minutes", and handle such cases in an appropriate way. Or you could even reject data that are not realistic.

Andreas
  • 5,305
  • 4
  • 41
  • 60
  • Yeah already thought about it... The question was more about how to completely protect your location reliability in a technical sense - to be protected from LocationSpoofer for example. – SirKnigget Mar 09 '11 at 13:18
0

From a security point of view you should assume that any data coming from a client-side validation process cannot be trusted. The data could be intentially, or unintentionally, modified and that is out of your direct control.

If you want to protect against location spoofing then I would recommend server side checks.

h3ky1
  • 61
  • 10