Login/Register
How does some apps(wechat) ignore fake location and then detect the real one?
Asked Answered
androidlocationandroid-gps
F

6

11

I have installed a fake location app and set my location different. Then opened Google Maps and Wechat app,

  • Google Maps shows my location as what i set(fake)
  • Wechat app ignores fake location and detects real location (how?)

Then i wanted to prevent wechat analyze my previously received real locations and new fake location.

  • Uninstalled Wechat
  • Restarted my device
  • Set my location as fake
  • Installed Wechat again

But same result, it detects my real location.

I really want to understand how they do this. Any ideas?

What i have tried

  • Gps provider spoof
  • Network provider spoof
  • Fused location provider spoof
  • IP geolocation spoof
  • Gps provider spoof + IP geolocation spoof

UPDATE

Uses GPS even when disabled.

enter image description here

07-02 11:46:15.504 2346-2356/? D/LocationManagerService: request 434a7e28 gps Request[ACCURACY_FINE gps requested=+1s0ms fastest=+1s0ms] from com.tencent.mm(10173)

CONCLUSION

  • You can fake location on older versions of wechat(lower than 6.0)
  • Uses something like BaiduLocationSDK. It's not affected from any mock attempt through LocationManager and Fused provider.
  • I'm not sure but, seems like BaiduLocationSDK uses GPS through hardware level.
Figurant answered 11/5, 2016 at 23:48 Comment(5)
I wonder if it depends on the api the app uses to get location. Presumably the google maps will be using the google play api, like most apps that use location. It's possible the wechat is using the android location manager in the native sdk instead and maybe that is not affected by the fake location app. Give it a test.Chaotic
We can understand a received location is fake or real, there is no problem. The question is how wechat detects real location while LocationManager and FusedLocationProvider giving the pinned fake location.Figurant
Downvoter, whats wrong with this question ?Figurant
@Blackkara are you testing on API 23 device where removing test provider doesn't work? Does Wechat still detect your location while you're trying to fake it and actually moving (that is your fake location doesn't change but real does and Wechat can detect this)?Shortbread
@Shortbread i posted a second respond. Which responses indirectly your question too.Figurant
E
4

To check for fake location most applications look for GGA and GSV sentences in the NMEA (National Marine Electronics Association) data received by them. The fake location providers do not send NMEA sentences along with location, so this parameter can be used to
If they haven't received and GGA and GSV sentences in a threshold amount of time, say 100 seconds they red flag the current location provider.
This process is repeated till a valid set of NMEA sentences has been received and then the corresponding location is selected.

To retreive NMEA data LocationManager#addNmeaListener(GpsStatus.NmeaListener listener) is called and then in the listener

void onNmeaReceived(long timestamp, String nmea) {
    Log.d("Nmea Data",nmea);
}

for more info see adding a NmeaListener
the NMEA sentences, GGA and GSV look as follows

GGA - essential fix data which provide 3D location and accuracy data.

Sample : "$GPGGA,123519,4807.038,N,01131.000,E,1,08,0.9,545.4,M,46.9,M,,*47"

Where:
 GGA          Global Positioning System Fix Data
 123519       Fix taken at 12:35:19 UTC
 4807.038,N   Latitude 48 deg 07.038' N
 01131.000,E  Longitude 11 deg 31.000' E
 1            Fix quality: 0 = invalid
                           1 = GPS fix (SPS)
                           2 = DGPS fix
                           3 = PPS fix
                           4 = Real Time Kinematic
                           5 = Float RTK<br/>
                           6 = estimated (dead reckoning) (2.3 feature)
                           7 = Manual input mode>
                           8 = Simulation mode
 08           Number of satellites being tracked
 0.9          Horizontal dilution of position
 545.4,M      Altitude, Meters, above mean sea level
 46.9,M       Height of geoid (mean sea level) above WGS84 ellipsoid
 (empty field) time in seconds since last DGPS update
 (empty field) DGPS station ID number
 *47          the checksum data, always begins with *


GSV - Satellites in View shows data about the satellites that the unit might be able to find based on its viewing mask and almanac data. It also shows current ability to track this data. Note that one GSV sentence only can provide data for up to 4 satellites and thus there may need to be 3 sentences for the full information. It is reasonable for the GSV sentence to contain more satellites than GGA might indicate since GSV may include satellites that are not used as part of the solution. It is not a requirement that the GSV sentences all appear in sequence. To avoid overloading the data bandwidth some receivers may place the various sentences in totally different samples since each sentence identifies which one it is.

Sample:"$GPGSV,2,1,08,01,40,083,46,02,17,308,41,12,07,344,39,14,22,228,45*75"

Where:
  GSV          Satellites in view
  2            Number of sentences for full data
  1            sentence 1 of 2
  08           Number of satellites in view

  01           Satellite PRN number
  40           Elevation, degrees
  083          Azimuth, degrees
  46           SNR - higher is better
               for up to 4 satellites per sentence
  *75          the checksum data, always begins with *

Source : NMEAData

Embrace answered 30/6, 2016 at 19:50 Comment(3)
To check for fake location most applications look for GGA and GSV sentences in the NMEA (National Marine Electronics Association) data received by them : Also GPRMC. But this is not a proper way. Because some devices don't send these sentences (or any of them) For example my test device (samsung galax s3) only sends $PGLOR sentence without spoofing.Figurant
The fake location providers do not send NMEA sentences along with location : That's okay, when you spoof gps, then no sentence will be received.Figurant
This process is repeated till a valid set of NMEA sentences has been received and then the corresponding location is selected. : Even they flag the current provider as spoofed(GPS), there is no way to receive nmea sentence after spoofing. Also, means no way to get location.Figurant
D
4

Some 3rd party location sdk like BaiduLocationSDK doesn't reflect the fake location setup by system.

It's for safety purpose.

Dues answered 1/7, 2016 at 19:57 Comment(10)
Wechat uses Baidu that's right. Sadly, seems like not possible to spoof Wechat. Am I right ?Figurant
This doesn't answer how they do it. What Android APIs this BaiduLocationSDK is using?Shortbread
@Shortbread There is no English documentation about BaiduLocationSDK, but i saw a few Chinese blogs explains how it receive locations. It does not use LocationManager(or fused provider) to receive locations. It uses H.A.L(Hardware abstraction layer), directly communicates GPS hardware instead of android API's. This is why Wechat not affected from any spoofing through LocationManager.Figurant
So, if it's possible to spoof GPS on hardware level, then means we are able to spoof BaiduLocationSDK and Wechat too.Figurant
My guess was that NMEA is HAL (it looks pretty low level). I couldn't find any other API in the docs.Shortbread
@Shortbread Yes, you were right about Nmea option, its low level. But when spoofing GPS, nmea listener is never fired. BTW, what about spooning at HAL. Is it possible ?Figurant
wiki.lbsyun.baidu.com/cms/androidloc/doc/v6_0_3/doc/index.html, so, there is an api in BaiduLocationSDK to ;enableSimulateGps'. I guess Wechat enables it debug or some secret pages of release build.Dues
@duanbo1983 I've tried. It's app specific. Means, when you set this option true, mock locations will be received only in your app. Not whole android system.Figurant
Yes, exactly. The app which leverages BaiduLocationSDK controls the behavior.Dues
So, are we exactly unable to spoof BaiduLocationSDK ?Figurant
S
3

The reason I was asking the questions in the comments is that I was hoping you tested how Wechat responds to different conditions.

There are a couple of other ways to detect device location which TestProvider shouldn't affect AFAIK. This needs testing but here are some ideas:

Edit: added Telephony manager option.

Shortbread answered 25/6, 2016 at 21:3 Comment(4)
getLastKnownLocation(String provider) : While continuously spoofing GPS and NETWORK providers, getLastKnownLocation(String provider) method returns mock locations for each provider, also onLocationChanged callback method gives the mock location. When i look the google maps app, it show mock location, but wechat detects my real location. IP address geolocation : Also while doing first approach, at same time, i spoofed the ip address via a VPN application. For example i changed to ip Singapure. But wechat stil detects my real location.Figurant
GPS NMEA listener : I did not test this. But it's source is GPS, and i already spoofing the GPS Provider. So nothing differs. Nmea string will include values of my mock location.Figurant
@Blackkara have you tried actually physically moving with the device while spoofing the location? Does Wechat correctly track while you're moving? How precise is Wechat location? If it's country-level you can use Telephone Manager (see my edited answer). I think NMEA listener deserves a test, it might be on a different level and not spoofable.Shortbread
How precise is Wechat location? : It pinpoints my real location perfectly while google map showing my location mock, so TelephonyManager option will not be a cure. Timur, when you spoof GPS provider (or other any), it effects whole android system. not only application specific AFAIK. I dont think, but i will use NMEA option.Figurant
F
2

@Bona Fide

Then you can remove the TestProvider from the LocationManager and get the actual location.

Even wechat would use this approach before requesting location updates, to avoid providers being spoofed by other applications, like something below

// HERE WECHAT APP
// WECHAT REMOVES THEM IF ANY (just supposition)
locationManager.removeTestProvider(LocationManager.GPS_PROVIDER);
locationManager.removeTestProvider(LocationManager.NETWORK_PROVIDER);

// WECHAT REQUESTING LOCATION UPDATES
// ....

So this approach causes throwing a IllegalArgumentException on the location faker app. Even in that case, i can easily handle this issue and continue spoofing GPS and NETWORK providers again,

// HERE LOCATION FAKER APP
// LOCATION FAKER APP SETS FAKE LOCATIONS 
while (mRunning){
    try {
        locationManager.setTestProviderLocation(LocationManager.GPS_PROVIDER, gpsLocation);
    } catch (IllegalArgumentException e){
        locationManager.addTestProvider(LocationManager.GPS_PROVIDER, false, false, false, false, false, true, true, 1, 1);
        locationManager.setTestProviderEnabled(LocationManager.GPS_PROVIDER, true);
    }

   try {
        locationManager.setTestProviderLocation(LocationManager.NETWORK_PROVIDER, networkLocation);
    } catch (IllegalArgumentException e){
        locationManager.addTestProvider(LocationManager.NETWORK_PROVIDER, false, false, false, false, false, true, true, 1, 1);
        locationManager.setTestProviderEnabled(LocationManager.NETWORK_PROVIDER, true);
    }

    gpsLocation.setTime(System.currentTimeMillis());
    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
        gpsLocation.setElapsedRealtimeNanos(SystemClock.elapsedRealtimeNanos());
    }

    networkLocation.setTime(System.currentTimeMillis());
    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
        networkLocation.setElapsedRealtimeNanos(SystemClock.elapsedRealtimeNanos());
    }

    try {
        Thread.sleep(500);
    } catch (Exception e) {}
}

Everything works perfectly but out of WECHAT

Figurant answered 25/6, 2016 at 10:56 Comment(0)
R
1

Fake locations are possible if ALLOW_MOCK_LOCATION is set and a TestProvider is added to the LocationManager. To get the real location you need to do these two steps:

  • Detect if MockSettings are enabled and whether there are Apps installed how could fake the location.
  • Then you can remove the TestProvider from the LocationManager and get the actual location.

Checkout Jambaaz answer to get an example how this works in code.

Note: To remove an TestProvider you need the Permission android.permission.ACCESS_MOCK_LOCATION and ALLOW_MOCK_LOCATION is now deprecated since API 23. You can now check if the Location is from a TestProvider directly from Location.isFromMockProvider()

Rumery answered 12/5, 2016 at 6:42 Comment(3)
I wanna tested Jambaz's answer. But, removeTestProvider() method requires android.permission.ACCESS_MOCK_LOCATION permission. Have you ever tested this ?Figurant
Yes, sadly it needs this permission. I didn't try it myself but it should work technically and it did for Jambaaz.Rumery
I did test all reasonable ways about spoofing location, but i'm out of luck about wechat. In my second post, i'v explained how to overcome jambaaz answer.Figurant
P
0

I have managed to spoof location with wechat and zalo, both seem just as difficult.

I would load a mock location and fake gps app. set my location. check maps and see it's correct, can even move around the world and it's working.

But wechat and zalo don't agree, they say I am in my basement lol.

THEN I uninstall fake gps app (might be able to force stop and disable) and go to wechat and clear location etc and try again and often it will move me to faked gps location. It won't stay that way after closing the wechat app though. it is temporary.

It might not be easy to do but might give someone a hint or path to look at.

Pallua answered 17/9, 2018 at 5:2 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.