Recently our team has been working on a web app that uses geolocation. We use geolocation to identify real-world geographic location of an user and allow them to check into an event.
A fundamental requirement is the accuracy of the user location. Luckily, HTML5 geolocation API is supported from most of mobile browsers, provides an interface to query device’s location and its accuracy is quite high.
The app rewards the user for participating to located events, so we need to be sure that user geolocation is not forged.
The major problem is the high number of possibilities for forgeing geolocation, for example:
- fake location in Chrome from Developers Tool
- browser extension that allow one to fake location
- external apps that allow one to fake location
We tried to solve the problem by matching the results of HTML5 geolocation with several geolocation services such as Maxmind GeoIP and Akamai Edgescape, without success. Using Maxmind we’ve encountered problems with location accuracy. Maxmind offers an IP location service; when you query their database with IP an API returns a possible geolocation. We have found that some mobile carriers do not change the device IP address for several days, thus Maxmind database answers with the same result even if you keep traveling.
Akamai Edgescape, instead gives you the location of the pop that served your request. The limit of this method is that the pop can be near the user location or not.
In the end we can say that requiring user’s location and integrating geolocation service is quite simple; on the other hand making sure that the location is not forged is pretty hard.