4

here is my problem :

I have a mobile app, and I want to give the user some information depending on their position ( think something like FourSquare ). But how to make sure the user position is real ?

I mean let's say the client uses a request to the server via http :

http://www.myserver.com/getdata?lat=X&long=Y

a malicious user could easily modify the values.
Then how to make sure values are accurate ?

Ale_x
  • 101
  • 1
  • 2
  • 1
    Would you really like to have a mobile device that, at the request of any malicious server, had no choice but to transmit your coordinates to it? – Damien_The_Unbeliever Aug 17 '10 at 09:23
  • You may want to give a badge to users that identify cheaters :) (ie. delegate the problem to humans). – Daniel Vassallo Aug 17 '10 at 09:35
  • BTW: This may interest you: http://techcrunch.com/2010/02/16/foursquare-cheating/ – Daniel Vassallo Aug 17 '10 at 09:36
  • Much like the problem of Trusted Client, against the average user, anything works, ie. Base64 encode the data to throw them off, use cryptography, etc. But nothing you can do protects you against a skilled attacker. – Sami Koivu Aug 17 '10 at 12:59
  • @Damien_The_Unbeliever I think you're offering the wrong options. The device will always ask for permission to send the details. So basically instead of choosing between correct or tampered coördinates, the choice is between correct- or none at all. – Boris Callens Aug 17 '10 at 13:51

4 Answers4

1

You can not. As you've already figured the client can always manipulate the requests sent to the server.

The only thing you can do on the serverside is to filter unlikely coordinates (for example on the sea, depending on the meaning of your coordinates).

JochenJung
  • 7,183
  • 12
  • 64
  • 113
1

You can always use a pgp encryption which would be in the app, then send a packet to server which will decode the message and you will know it was the program that sent a request.

So if user wants to fake the coordinates he will need to hack your software that is on the phone to actually do that.

Hope that will give you some ideas...

On the other hand you can issue a hash on first contact to the server(authentication or something like that) and have some simple math on your mobile application: xyour_hash and yyour_hash or something like that (should be more complicated as it is easy to guess) then on the server: http://www.myserver.com/getdata?lat=x&lon=y then: on the server side of the app: lat = lat/your_hash lon = lon/your_hash now if the lat/lon is off the grid, so as JochenJung said somewhere in the sea... you can ignore the request. and just because you want to identify which user has sent in request you will need some identification on the query string, that can be used as additional variable to create some better result.

Vladas Freimanas
  • 81
  • 1
  • 5
0

Someone could trick/fake the phone into setting the GPS co-ords to somewhere else. As @JochenJung says, it is always possible to change the request.

cofiem
  • 1,384
  • 1
  • 17
  • 29
0

I have been thinking about the same thing, but fear it is impossible. Some ideas I had:

  • Add some kind of hash of the coördinates to the request you can check server side too. This requires the client to know about the encryption algorithm (and key) and again makes it hackable
  • Check if the time between the previous request and now allows for that kind of location change. Rather hard because you can never know if the first request wasn't a fraud either and you don't know what kind of transport the client might be using
Boris Callens
  • 90,659
  • 85
  • 207
  • 305
  • yes I was thinking about encrypting it with a shared secret key. But then the key will be on the client, which would be completely hackable... – Ale_x Aug 17 '10 at 09:39
  • 1
    Thus far the best I could come up with is obfuscation.. But that's not really a solution – Boris Callens Aug 17 '10 at 09:47
  • 2
    The problem is that even if you could make the url be true to the actual GPS measurements, it is still possible to fake the actual gps measurements.. – Boris Callens Aug 17 '10 at 09:50