iOS detect mock locations

2019-01-20 10:40发布

问题:

Currently I'm working on an App which geolocation capabilities are its most important feature. Actually we're very concerned about getting GPS values mocked up. I've read a lot of comments regarding mocking locations on both iOS and Android and most of them tend to explain an unjailbroken iOS device can't mock locations, but the truth is I've created another project, with a GPX file to mock up location on that project and when executed, the entire system believes I'm in another city. All my locationManager callbacks tell me I'm on the mocked location with the proper timestamp, faking the entire information like it was real. That breaks entirely the purpose of our App, as the user can fake where has been.

Is there any way to detect this behaviour and prevent it? I'm assuming a closed target, the attacker must be a developer in order to this exploit to work, but alas, it's still there

回答1:

Question: Is there any way to detect this behaviour and prevent it?

There actually are 2 separate questions: (1) how to detect, and (2) how to prevent it?

Answer for (1): The simulated location behaviour is quite different from the real one at call back locationManager:didUpdateLocations:

[simulated locations] callback returns almost immediately after calling startUpdatingLocation, and then repeatedly called every exactly one second. Also the locations are all the same if we choose a fixed location. Here is an example:

location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:48 Час: Індокитай
location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:49 Час: Індокитай
location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:50 Час: Індокитай
location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:51 Час: Індокитай
location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:52 Час: Індокитай
location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:53 Час: Індокитай
location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:54 Час: Індокитай

[real locations] It takes a few seconds (if first run) to call back and then randomly re-call. Also you can see the when significant changes among those locations even if you don't move at all. Here is an example:

location: <+10.77219361,+106.70597441> +/- 67.39m (speed -1.00 mps / course -1.00) @ 30.03.15 14:16:26 Час: Індокитай
location: <+10.77213011,+106.70591088> +/- 65.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:16:31 Час: Індокитай
location: <+10.77219507,+106.70587790> +/- 65.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:16:38 Час: Індокитай
location: <+10.77214753,+106.70587741> +/- 65.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:16:49 Час: Індокитай

Answer for (2): To prevent, I just work around for now, we need to look up at least 3 locations to decide it's simulated or real location.

Remind, it's just temporary solution to detect simulated locations. In the future, Apple may change the behaviour.

By the way, I've also tried to disallow simulate location on xCode at scheme: Unfortunately, it still allows simulated locations.

Some more issues you may know here. Hope it help.



回答2:

To elaborate on @KennyHo answer, I found out that there is another difference between real and simulated locations feedback.

A simulated location, as I noticed, always returns this combination of values for these location properties/options:

horizontalAccuracy: 5
verticalAccuracy: -1
altitude: 0.000000
speed: -1

while a real location would give different combincation 99% of the time such as

horizontalAccuracy: 5
verticalAccuracy: 10
altitude: +/- 0.4243232
speed: -1

Note that it is possible for a simulated location to have a different combination than the above one but only if the user uses xcode Automation target test. However the user can only simulate a location to a signed app with a development identity (must own the app). This means nobody, except you, can fake a location with different altitude or verticalAccuracy to trick your app in xcode.



回答3:

I don't believe it's possible to detect location simulators.

An easier way to fake location is to use an external bluetooth or serial connection to a GPS simulator that outputs NMEA sentences. You don't need a developer account although you do need an Android phone to run the simulator.

The iPhone will auto detect an external GPS and CLLocationManager will use the external GPS sources in place of own internal GPS. It's really handy for lab testing of mapping and navigation apps.



回答4:

Thank for your information about GPS simulator. I have tried to make a simple iOS application on iPhone5(iOS8) to get location from GPS-Simulator app on Samsung S4. I turned off Wifi and 3G, turned on BlueTooth on iPhone. But the CLLocationManager can't get location.

Here is the code:

clManager = [[CLLocationManager alloc] init];

clManager.delegate = self;

clManager.desiredAccuracy = 100;

clManager.distanceFilter = kCLDistanceFilterNone;

[clManager startUpdatingLocation];

the code got kCLAuthorizationStatusAuthorizedAlways notified. But after that, there is no returned location data via "didUpdateLocations" callback delegate.

Could you please tell me any special setting of CLLocationManager so that it can receive GPS message from GPS-Simulator.