简体繁体 English

保护您的Android应用不受模拟位置的影响

[英]Protecting your Android app against mock locations

原文 2011-03-05 12:54:38 2 2 android/ geolocation/ location/ android-location

I'm designing a location-based service where reliability plays a role. 我正在设计一种基于位置的服务，可靠性在其中发挥作用。 I wish my users to know that the provided location of other users is real. 我希望我的用户知道其他用户提供的位置是真实的。

I researched mock locations a bit, and noticed in this thread the app LocationSpoofer . 我对模拟位置进行了一些研究，并在该线程中注意到了应用LocationSpoofer 。 I don't have a rooted phone currently, but it states that when rooted it can mock locations even without the setting. 我目前没有植根电话，但它指出植根后即使没有设置也可以模拟位置。

Is there any known way to protect against that? 有没有已知的方法可以防止这种情况发生？ I could use some simple heuristic to verify that the user didn't travel from France to Hawaii in 30 minutes, but I would rather have complete protection. 我可以使用一些简单的启发式方法来验证用户在30分钟内没有从法国前往夏威夷，但是我希望得到完全的保护。

Thanks ahead! 谢谢你！

2 个解决方案

Instead of a long comment: 不用长评论：

"reliability plays a role" “可靠性起着作用”

As long as your provide reliable output for "reliable" input i think you will be OK without having to handle 'spoofed' or fake input. 只要您为“可靠”的输入提供可靠的输出，我认为您就可以不必处理“欺骗性”或虚假输入。 In case you have data stored in persistent storage you could handle cases for 'suspicious' data. 如果您将数据存储在永久性存储中，则可以处理“可疑”数据。

That is define and apply scenarios on your data to identify cases like "the user traveled from France to Hawaii in 30 minutes", and handle such cases in an appropriate way. 那就是在您的数据上定义和应用方案，以识别诸如“用户在30分钟内从法国到夏威夷旅行”之类的案例，并以适当的方式处理此类案例。 Or you could even reject data that are not realistic. 或者，您甚至可以拒绝不切实际的数据。

From a security point of view you should assume that any data coming from a client-side validation process cannot be trusted. 从安全角度来看，您应该假设来自客户端验证过程的任何数据都不可信任。 The data could be intentially, or unintentionally, modified and that is out of your direct control. 数据可能会被故意或无意地修改，而这超出了您的直接控制。

If you want to protect against location spoofing then I would recommend server side checks. 如果您想防止位置欺骗，那么我建议您进行服务器端检查。