Home iOS Sadly, IT can no longer trust geolocation for much of anything

Sadly, IT can no longer trust geolocation for much of anything


Geolocation was once a glorious way to know who your company is dealing with (and sometimes what they are doing). Then VPNs started to undermine that. And now, things have gotten so bad that the Apple App Store and Google Play both offer apps that unashamedly declare they can spoof locations — and neither mobile OS vendor does anything to stop it.

Why? It seems both Apple and Google created the holes these developers are using.

In a nutshell, Apple and Google — to test their apps across various geographies — needed to be able to trick the system into thinking that their developers are wherever they wanted to say that they are. What’s good for the mobile goose, as they say.

Food delivery services use geolocation to track delivery people and to see if they have indeed delivered to a customer’s address. Banks use location to see whether a bank account applicant is really where the applicant claims — or to see whether multiple bogus applications are coming from the same area. And AirBNB uses geolocation to try and detect fake listings and fake reviews, according to André Ferraz, the CEO of mobile location security firm Incognia.

“For fraudsters, besides exploiting developer mode to change GPS coordinates, many other tools enable location spoofing, both for IP-based geolocation and GPS-based geolocation,” Ferraz said. “For IP-based geolocation, there are VPNs, proxies, tor, tunneling. For GPS, the most accessible are the fake GPS applications. Still, there are also tampering and instrumentation tools, rooted or jailbroken devices, emulators, tampering with the location data in motion and many others.”

Ferraz is regrettably right. Regardless of which one of these many options a fraudster opts to use, the bottom line is that IT simply can no longer trust geolocation for much of anything. There are some applications where the risk of meaningful damage from location fraud is so low that it’s probably fine to use location — say, a gaming application where someone pretends to be in Central Park when they aren’t. If all they get are points or access to a special visual treat, it’s likely harmless.

Copyright © 2022 IDG Communications, Inc.