30

Some apps like Foursquare require the user to "check in" at physical places, in order to gain money benefits.

Given that emulated GPS are available for customized versions of Android, it sounds easy to trick such apps.

Given the monetary incentives, I am sure many people have tried, so how do apps prevent GPS cheating?

Nicolas Raoul
  • 1,276
  • 2
  • 12
  • 17
  • 4
    I've never seen anyone 'gaining money' by checking in on foursquare. Can you elaborate this? – mhr Aug 12 '14 at 06:02
  • You can get sometimes get a discount or other benefit after checking in many times (roughly), which is a kind of money benefit. – Nicolas Raoul Aug 12 '14 at 06:04
  • 2
    And there are competitions that are location based. And location based alibis could be of value to criminals... – Rory Alsop Aug 12 '14 at 11:51
  • 1
    @RoryAlsop, In terms of legal alibis, most law enforcement departments have a digital forensic unit that can generally uncover the true location of a suspect. Moreover, with a warrant, LE can bypass the phone and just look at cell tower usage. Bottom line, unless you are good (real good), I wouldnt try any of this in court. – Matthew Peters Aug 12 '14 at 12:51
  • Matthew - too bad it's much easier to spoof and commit fraud this way than to prove it was fraud :-( – Rory Alsop Oct 29 '16 at 21:32
  • "spoofing" of data sent by clients is fundamentally impossible to *prevent*, it's better to not take any location data from clients as a proof of anything. Even if the environment is an iOS-like jail, someone will probably crack it and regain freedom to modify any code on client side. – Display Name Jun 25 '17 at 14:07
  • GPS spoofing is mostly catched by observing patterns. For example you can get banned from geo location based games if you move faster than a fast vehicle. – eckes Dec 09 '17 at 06:59

5 Answers5

26

There are many ways to track user's location on a mobile device (I will go into how that works later).

None of the tracking methods are particularly easy to spoof. It can be done but it is simply outside of the realm of the average user as it generally requires either a modified device (physically or programmatically) or external gear.

Moreover, it is far easier for developers to simply tie multiple forms of tracking with simple logic (IE you can only 'check in' x number of times within timeframe y) than it is for a hacker to spoof an app like foursquare and get that 5% discount on dinner. Once again, it can be done, but [my theory is] so far it is not economical to hackers.

As promised, here are a few of the big technologies leveraged in geographic tracking:

  • GPS Reporting. This is probably most familiar to you. It is the most 'expensive' report because it requires relatively large amounts of power to read several GPS satellites. A pure GPS system is rarely used on mobile devices today. GPS devices can be spoofed programmatically (by changing the software's call to the GPS driver's position) even without modifying a device at all (as seen here).
  • GSM Reporting. This is perhaps the most common way your location is tracked through the day while you are moving around. The concept is simple. Your phone, with normal messages to the cell towers nearby, triangulates your position at a given time. This method is extremely hard to spoof without external hardware or seriously altering your phone's functionality (IE if you spoof a cell tower then yes you are 'not tracked' geographically, but you also cannot make phone calls). Additionally, cell traffic is encrypted. You could potentially spoof the access point where the apps software talks to the phone's cell tower data driver, but that is also difficult to say the least.
  • LAN Reporting. This is a pretty cool concept because it provides high levels of accuracy indoors (something that has traditionally been an issue). This requires much setup but at a minimum would allow apps to talk to registered wifi hotspots to confirm your location based on which wifi you are connected to. This is theoretically possible to spoof but it would largely depend on the levels of encryption for the legitimate connection's signature.
  • WAN Reporting. This is nothing more than simple IP address reporting. This is perhaps the easiest to spoof, but I put it in here for completeness as it is very common to mobile friendly sites.
  • Others (Bluetooth, RFID, Inertial nav, experimental, etc) There are quite a few other methods out there. One of my favorites is Inertial Navigation where there are no external transmissions (thus potentially very difficult to spoof) as it uses internal sensors and map to ascertain your position. This is seen in missile guidance systems as well as some apps. Life360 for instance uses a variation of this as it uses very little power (all the sensors are already active).

Other things to remember:

  • Developers can leverage any number of these technologies, thus making an app even harder to spoof.
  • Most location data is stored on a mobile device (and sometimes in many places) until explicitly deleted. Thus a developer can (potentially) access previous location data points. So if you say you were at cafe mama's 20 times todays and the app simply talks to siri to find out your last geo-data point was 100 miles away, the app will wonder...
  • Law Enforcement would have far greater ability to determine your real location so just because you may have spoofed an app doesn't mean you should bet your life on it (some comments elsewhere suggested that you could use this spoofing nefariously, so I thought I'd toss this in here).
Addono
  • 3
  • 3
Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
8

For Ingress, Google's global wargame, a range of anti-spoofing measures are used. Google are keeping quiet about the full range, but two that have been demonstrated are:

  • Speed limitation: 40mph maximum allowed in game
  • Corroborating measures: cross referencing wifi SSID's received with their location database
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 3
    "cross referencing wifi SSID's received with their location database" You can find a lot of SSIDs in the [WiGLE](https://wigle.net/) map. And a sophisticated cheater can use it to spoof it. – Calmarius Oct 29 '16 at 21:28
  • 1
    SSID checking would require activated wifi. even if the application has permissions to activate it at software level, user has the power to physically shield it (faraday cage) and use an alternative external network adapter which is not wifi. Or root the device and force system to present all network interfaces as if they were cellular networks (thus no SSID lists) – Display Name Jun 25 '17 at 14:02
3

The short answer is that (as far as I'm aware) it isn't possible to perfectly stop location emulation on open platforms (e.g. Android). Other more restrictive platforms (e.g. non-jailbroken iOS/Windows Phone) don't tend to suffer as much from these problems as they don't allow users the same level of freedom in terms of the types of applications they can install.

What software vendors can do is try to reduce the impact and detect people mis-using this feature. As an example, one way of doing this might be to analyze the users positions and if they move too quickly, assume that they are using some form of GPS spoofing/emulation.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • Interesting! Making moves physically credible could be an easy feature to add to a GPS spoofer. But then OpenStreetMap data could be used to check whether people walk on top of buildings etc. – Nicolas Raoul Aug 12 '14 at 11:19
  • From what I've seen from gaming, it's generally used to avoid really egregious cheating (so for example moving from New York to San Francisco in 5 minutes), not by any means a perfect control and you'd need to watch for false positives but worth doing all the same.... – Rory McCune Aug 12 '14 at 11:41
  • in android, we easier to detect mock location is enable or not. if it open mock location, we could predict that they trying to cheat – Sruit A.Suk Feb 18 '16 at 08:36
1

The key is a challenge that is easy to answer for those who are at the place, and nearly impossible for those who aren't there.

For example a simple validation can be knowing the cell tower id and the available Wifi SSIDs at the place. If you have the phone at hand, the answer is easy and can be done from the program automatically, but if you are not there, it's hard to answer.

But after someone creates a map of it. It will be easy to spoof.

And I can't really imagine better way if the local property owners are not involved.

If the local property owners are involved, another way is putting a sticker or a small screen into the window of the shop with a keyword and tell the user to enter it to validate its location. The user need to be there to enter the correct word. To avoid the mapping problem the keyword can be changed frequently.

Calmarius
  • 1,905
  • 2
  • 12
  • 6
1

From my knowledge the way you spoof the locations is to :

1) Use developer mode with mock locations. There are ways of detecting that you are using developer mode so the developer can decide that the GPS is not to be trusted in this case. So they will use other ways of finding your location like wifi networks.

2) You can fake your position when your phone is rooted, without enabling the mock locations mode. Again, in some cases there are ways of detecting that the phone is rooted and again the developer can decide not to trust the GPS position.

Bear in mind that this is just a simple explanation. If you want to see how some people identify mock locations read this: https://stackoverflow.com/questions/6880232/disable-check-for-mock-location-prevent-gps-spoofing

Edit: It was brought to my attention that rooted devices might not be always so easy to detect or might not be detectable at all. So the second version might work when the root is undetectable.

Community
  • 1
sir_k
  • 719
  • 6
  • 14
  • 5
    "there are ways of detecting that the phone is rooted" I am pretty sure there are easy-to-install impossible-to-detect custom ROMs around. – Nicolas Raoul Aug 12 '14 at 11:12
  • @NicolasRaoul That's a fair point. I do not know to what extent rooted devices can be detected so I will edit my post. I know there is a range of security products that can be embedded into apps to detect such things. But again, I don't know exactly to what extent they work. If you have any statistics on this please do share as I'm quite interested in the topic now :D – sir_k Aug 13 '14 at 09:04