Login/Register
Detect/Stop Spoofing of Location possible in iOS sdk?
Asked Answered
Solved iosiphonegeolocationlocationcore-location
C

6

7

I am having an application in which users need to visit particular locations. When users are nearby to this location a form is being open to fill. I have doubt that some users are spoofing their current locations(using any other application) and filling form at their home. Means fooling to my application.

I searched on Apple store and there is no application available for GPS spoofing or the application which can spoof location coordinates for other application in the iOS device.

I googled it and found that spoofing is possible on Jailbroken devices and some applications are available on Cydia store like "akLocationX", "Fake Location" etc. Below is the article on the same.

http://www.addictivetips.com/ios/easily-fake-iphone-current-location-aklocationx/

Could anyone help me, how can I stop this location spoofing on Jailbroken devices?

Cheremkhovo answered 7/1, 2014 at 8:7 Comment(2)
Possible duplicate of #16083854Nitty
Are you sure some users are spoofing their location provided to the application? Are you sure they are not exploiting your application's web API directly?Hb
T
3

The other posters are correct, one great way to check is to verify if the device is jailbroken.

But, even if the device isn't jailbroken, it is still possible to fake the GPS location with a nearby GPS transmitter. So let's assume (although it is highly unlikely), that your user has this.

Technically, it is possible to detect if the GPS location is fake or not. However, your ability to do so is dependent on if the person faked other information as well such as nearby Wifi networks, or their external IP (such as using a VPN).

Reference: GPS Jamming Devices

Method A - Wifi

You can detect the wireless networks nearby and then lookup their locations and compare that to the one reported by your GPS. There are a couple of issues however.

Keep In Mind

  • You must maintain network access to the internet.
  • You must use private APIs to do this which are not approved for usage by apps within the AppStore so you would never be able to publish it there.
  • Wifi must be enabled on the device and your app doesn't have any control to enable or disable it.
  • The GPS location of the Wifi hotspot may not be accurate, but is often more accurate than that obtained from a device's internet IP such as in method B.

References:

Method B - Your device IP

You can connect to an online service which returns your location information based on your IP. You can then compare this to the GPS location which you were provided.

This will get through the app store review process, however...

Keep In Mind

  • You must maintain network access to the internet.
  • Your device IP maybe through a VPN which may report a location other than that which the device actually exist in.
  • The GPS location information for the device's internet IP may not be accurate.
  • You can't rely on your device's current network IP, you must query it from an internet source. This is because your device may exist behind a firewall, gateway, or other network barrier.
  • Your device IP location will NOT be very accurate, you could confirm a city/state in most cases, but any finer detail isn't likely to be accurate.

References:

Ticknor answered 26/12, 2016 at 9:26 Comment(0)
N
5

Based on another StackOverflow question (Identify jailbroken device from iOS application), you can detect if your app is running with some known jailbreak tools, and take an alternate code path, such as disabling that part of your app (but do not exit or crash your app, as that may cause your app to fail AppStore testing).

As for always getting the real location, you can't really - your app can only run in the environment it has - if the environment is a jailbroken iPhone, and a hack running in that environment causes the geolocation api to report its location is on Tattooine or Atlantis, then thats what your app will get. Next best option is to try detecting jailbroken devices (as above) and change your app's behaviour.

Nitty answered 7/1, 2014 at 8:27 Comment(2)
I do not want to restrict users to run the application on Jail broken devices. Can we detect the application which is spoofing the location? can we disable those from spoofing the location or Do we have any field in the settings by which we can know if the location spoofing has been performed by an application?Cheremkhovo
From the point of view of your app, there is just the results of the provided SDK. Whether the results of that call are "real" or "fake" is not possible to tell from your app's point of view.Nitty
D
5

Starting from iOS 15 Apple provided a public API to address this challenge.

CLLocation exposes its source in a property called sourceInformation of type CLLocationSourceInformation

And, CLLocationSourceInformation has a property called isSimulatedBySoftware

Dace answered 6/12, 2021 at 21:10 Comment(1)
Amazing little API! Thank you for sharingHibiscus
E
3

To spoof a location, it's not even needed to jailbreak the device. It can be simply done in Xcode by running an app with a simulated location. I don't think it makes sense to detect this spoofing in the first place.

Ellamaeellan answered 7/1, 2014 at 23:53 Comment(6)
Are you able to install any app from the App store in the simulator? I didn't think so.Qualifier
I don't talk about the simulator. When debugging an app on the device, Xcode allows you to simulate the location. This location simulation is not app-wide but device-wide.Ellamaeellan
@Ortwin Can we detect the application which is spoofing the fake current location? can we disable this app from spoofing the location or Do we have any field in the settings by which we can detect if the location spoofing has been done by an application?Cheremkhovo
Saurabh, the answer to all questions is No. At least there's no public API for that.Ellamaeellan
So you are saying that if you are debugging your own app and set a location, and then launch FourSquare, FourSquare will see the simulated location. Is there a way for FourSquare to detect that the phone is in debug mode?Qualifier
Καrτhικ, yes. I don't think there's any way for Foursquare to detect this.Ellamaeellan
T
3

The other posters are correct, one great way to check is to verify if the device is jailbroken.

But, even if the device isn't jailbroken, it is still possible to fake the GPS location with a nearby GPS transmitter. So let's assume (although it is highly unlikely), that your user has this.

Technically, it is possible to detect if the GPS location is fake or not. However, your ability to do so is dependent on if the person faked other information as well such as nearby Wifi networks, or their external IP (such as using a VPN).

Reference: GPS Jamming Devices

Method A - Wifi

You can detect the wireless networks nearby and then lookup their locations and compare that to the one reported by your GPS. There are a couple of issues however.

Keep In Mind

  • You must maintain network access to the internet.
  • You must use private APIs to do this which are not approved for usage by apps within the AppStore so you would never be able to publish it there.
  • Wifi must be enabled on the device and your app doesn't have any control to enable or disable it.
  • The GPS location of the Wifi hotspot may not be accurate, but is often more accurate than that obtained from a device's internet IP such as in method B.

References:

Method B - Your device IP

You can connect to an online service which returns your location information based on your IP. You can then compare this to the GPS location which you were provided.

This will get through the app store review process, however...

Keep In Mind

  • You must maintain network access to the internet.
  • Your device IP maybe through a VPN which may report a location other than that which the device actually exist in.
  • The GPS location information for the device's internet IP may not be accurate.
  • You can't rely on your device's current network IP, you must query it from an internet source. This is because your device may exist behind a firewall, gateway, or other network barrier.
  • Your device IP location will NOT be very accurate, you could confirm a city/state in most cases, but any finer detail isn't likely to be accurate.

References:

Ticknor answered 26/12, 2016 at 9:26 Comment(0)
T
2

Sounds scary for an app :)

Anyway, there is now a proper way of dealing with this: iBeacon (dev doc here).

The basic principle is this:

  • Set up physical beacon devices at the location that the users need to be
  • Use CLBeaconRegion to monitor the proximity to these beacons (the beacons use Bluetooth Low Energy to communicate with the iOS device)
  • This might be trickier to fake (as the user will at least need to reverse-engineer one of the beacons), but I don't think they are cryptographically secure so it is still possible to fake it
  • Even if you roll your own crypto-beacon, a user could always steal one of your beacons :)
Transmute answered 8/1, 2014 at 0:13 Comment(0)
C
0

This is a tricky issue. It is unlikely to be able to prevent spoofing 100% because it is up to the client to inform the server their location.

There is one way to reduce the spoofing (not eliminate it completely) by validating the IP address of users with geolocation database in the server. You can make sure the user is really based in a city.

Consumable answered 8/1, 2014 at 0:1 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.