Detect or prevent if user uses fake location

android gps location google-api-client
Phan Van Linh picture Phan Van Linh · Mar 3, 2017 · Viewed 50k times · Source

I will block a user from using my app if they fake the location. So I use isFromMockProvider to check if the location is fake (follow here). But isFromMockProvider() may return false for faked locations in some cases.

public void onLocationChanged(Location location) {
    textView.append("long:"+location.getLatitude()+" - lat:"+location.getLongitude()+" - isMock :"+location.isFromMockProvider() + "\n");
}

My case is: I use app Fake GPS location for fake to a location then I disable fake location and go to my app. Then the onLocationChanged returns the fake location with isFromMockProvider() = false

Video recorder: https://www.youtube.com/watch?v=rWVvjOCaZiI (in this video, my current location is 16.06, 108.21, the fake location is 36.26,138.28. You can see in last video the location is 36.26,138.28 but isFromMockProvider=false)

Is there any way to detect if a user uses a fake location in this case? Any help or suggestion would be great appreciated.
DEMO project

Answer

Douglas Daseeco picture Douglas Daseeco · Mar 13, 2017

Risking a Realistic Answer

I'd like to provide an answer that helps the developer understand the public relations aspect of product design, taking the risk of criticism. Frankly, one cannot write great apps in a computer science vacuum. Satisfying user needs and balancing them with security is one of the primary issues in software interface and behavioral design today, especially in the mobile space.

From this perspective, your question, "Is there any way to detect if a user uses a fake location in this case?" may not be the most pertinent question you face. I'm not being evasive by asking this other question that may help you more and it is something I can answer well: "Is there any way to securely get the data from the user's device's geocoordinate firmware such that it cannot be spoofed?"

The answer to this one is, "No."

Android HTTP Client Contract

It is not part of the Android client-server contract or that of its competitors to guarantee user device location information.

Practical Reason

There is actually a market force that will probably push against such a guarantee indefinitely. Many device owners (and your users) want control over whether people know their true location for privacy and home and family security reasons.

Solution

The next question you can ask yourself as a designer of your software is, "How can the app or library work and provide for the needs I seek to fill with a certain percentage of the user community using today's (or tomorrow's) location spoofing software?"

If you are writing business intelligence software or there is some other statistical aspect to your system, then you need the software equivalent of error bars. If you display the stats, then the error bars would be an appropriate graphing feature. Estimating the percentage of location spoofers out of a population of users would require further study.

Related questions

How do I get the current GPS location programmatically in Android?

I need to get my current location using GPS programmatically. How can i achieve it?

Read More
How to mock location on device?

How can I mock my location on a physical device (Nexus One)? I know you can do this with the emulator in the Emulator Control panel, but this doesn't work for a physical device.

Read More
Get GPS location via a service in Android

I need to monitor user's locations using a background service, and then load them and show the path to the user. Using an activity, it was quite easy to get GPS locations, but when I got to do it via …

Read More