Geolocation was once a glorious way to know who your company is dealing with (and sometimes what they are doing). Then VPNs started to undermine that. And now, things have gotten so bad that the Apple App Store and Google Play both offer apps that unashamedly declare they can spoof locations — and neither mobile OS vendor does anything to stop it.
Why? It seems both Apple and Google created the holes these developers are using.
In a nutshell, Apple and Google — to test their apps across various geographies — needed to be able to trick the system into thinking that their developers are wherever they wanted to say that they are. What’s good for the mobile goose, as they say.
Food delivery services use geolocation to track delivery people and to see if they have indeed delivered to a customer’s address. Banks use location to see whether a bank account applicant is really where the applicant claims — or to see whether multiple bogus applications are coming from the same area. And AirBNB uses geolocation to try and detect fake listings and fake reviews, according to André Ferraz, the CEO of mobile location security firm Incognia.
“For fraudsters, besides exploiting developer mode to change GPS coordinates, many other tools enable location spoofing, both for IP-based geolocation and GPS-based geolocation,” Ferraz said. “For IP-based geolocation, there are VPNs, proxies, tor, tunneling. For GPS, the most accessible are the fake GPS applications. Still, there are also tampering and instrumentation tools, rooted or jailbroken devices, emulators, tampering with the location data in motion and many others.”
Ferraz is regrettably right. Regardless of which one of these many options a fraudster opts to use, the bottom line is that IT simply can no longer trust geolocation for much of anything. There are some applications where the risk of meaningful damage from location fraud is so low that it’s probably fine to use location — say, a gaming application where someone pretends to be in Central Park when they aren’t. If all they get are points or access to a special visual treat, it’s likely harmless.
Trust, here, is the key word. If your business needs to trust location data, then an alternative is needed.
Can this location fraud be detected? It gets tricky. Certain fraudulent methods can be detected, but not all — and certainly not all of the time. More importantly, merely detecting a geolocation anomaly should not on its own positively determine fraud.
VPN is a wonderful example. Many users have gotten so used to surfing the Internet in VPN mode that they do so all the time. That means they may not even think about it when they try, for example, to open a bank account. Instead of assuming fraud and blocking access and declining the application, banks could offer up a simple pop-up warning: “It appears that you are using a VPN. Although we applaud your security and privacy intent, what appears to be a VPN is interfering with our location-detection. Please turn off your VPN, shut down your browser, relaunch your browser and come back.”
The problem with spoof detection is that some companies will overreact and assume intentional fraud. It’s not that simple.
Ferraz chooses not to fault either Google or Apple, since they truly do need to mimic locations across the globe.
“This feature to enable developers to test their apps as if they were elsewhere was purposefully built by the OS providers, Android and iOS. Therefore, it is not a security vulnerability from the operating system. Otherwise, developers would not be able to work remotely, for example, because they would need to go in-person to places where the App offers some location-based service for testing purposes,” Ferraz said. “The OS even provides APIs for developers to identify if the device is in developer mode and has activated the tool that enables them to change the GPS coordinates. Unfortunately, many developers don’t use this and other device signals to identify location spoofing.”
Ferraz cites the food-delivery service as a classic example of how some companies try to use location tracking — but can get burned. There are multiple ways fraudsters try to rip off food-delivery services; some will accept a delivery and simply not go anywhere. Instead, they trick the food delivery system into thinking they picked up the order and then delivered it.
The problem with some of these services is that they pay instantly once the system thinks the food’s been delivered. If they chose to wait, let’s say an hour or so, they could avoid the fraud. That hour leaves plenty of time for the customer to phone in and complain that the food was never delivered. (Sometimes, the food delivery company will “verify” whether the food was delivered by looking at the geolocation tracking. Oops! They fail to deliver and may call a customer a liar.)
Sometimes, food delivery fraud is not about money — it’s about the food itself. Ferraz said some drivers will actually pick up the order and eat it themselves — while tricking the app into “seeing” the driver deliver to the customer.
This raises the question of what IT should do about the issue. There’s a big difference between “don’t use geolocation” and “don’t trust geolocation.” It’s similar to how a journalist deals with an unreliable source; you don’t necessarily ignore what they are saying, but you triple verify everything.
Take cybersecurity authentication, for example. If you’re doing everything properly — especially in a zero-trust environment — you’re likely relying on dozens or more datapoints. In that scenario, it’s fine to use geolocation data. After all, most of that data is probably fine. Just as with the bank example, don’t reject someone solely based on a mismatched location. But it’s perfectly appropriate to use any mismatch to trigger further questions.
There’s no reason you can’t have different processes; in some cases, geolocation accuracy is relied upon; in others, it’s merely supplemental; in still others, it doesn’t matter that much (possibly gaming). In short, use geolocation but no longer even think about trusting it.