Geolocation Spoofing: Why Businesses Can No Longer Trust Location Data

Geolocation technology was once a reliable way to verify the location of devices and users, providing valuable information for businesses. However, the rise of VPNs (Virtual Private Networks) has undermined the accuracy and trustworthiness of geolocation data. Now, the situation has escalated to the point where apps on the Apple App Store and Google Play openly advertise the ability to spoof locations, and neither major mobile OS vendor is taking significant measures to prevent it. The question is, why have Apple and Google allowed this to happen?

The answer lies in the development and testing process of mobile apps. Both Apple and Google needed to be able to test their apps across various geographic locations. To achieve this, they created the capability to trick the system into thinking that developers were in different locations. This developer-friendly feature, which allows for location spoofing, inadvertently created a loophole that app developers and malicious actors could exploit.

Businesses have traditionally relied on geolocation for various purposes. Food delivery services use it to track delivery drivers and confirm deliveries, banks use it to verify the location of bank account applicants, and platforms like Airbnb use it to detect fraudulent listings and reviews. However, the prevalence of location spoofing tools and techniques has made it increasingly difficult for businesses to trust geolocation data.

According to André Ferraz, the CEO of mobile location security company Incognia, fraudsters have multiple methods at their disposal for location spoofing. These include VPNs, proxies, Tor, tunneling for IP-based geolocation, and fake GPS apps for GPS-based geolocation. Moreover, there are tampering and instrumentation tools, rooted or jailbroken devices, emulators, and manipulation of location data in motion.

The proliferation of these options means that businesses can no longer rely on geolocation for critical decisions. While some applications may tolerate minor location discrepancies, others require precise and trustworthy location data to function effectively.

So, can location fraud be detected and prevented? It’s a complex challenge. Some fraudulent methods can be identified, but not all, and certainly not all the time. Detecting a geolocation anomaly does not automatically imply fraud, and overreacting to such anomalies can lead to unintended consequences.

For example, many users routinely use VPNs for enhanced online security and privacy. If a bank were to automatically reject an applicant solely based on VPN usage, it might mistakenly deny legitimate customers. Instead, businesses should consider providing informative pop-up messages to users, acknowledging the use of VPNs and explaining potential issues related to location detection.

Ferraz does not place blame on Apple or Google for enabling location spoofing since they needed this functionality to test their apps across different regions. They even provide APIs for developers to detect if a device is in developer mode and has activated features that allow location manipulation. However, many developers fail to utilize these signals to identify location spoofing.

One industry significantly impacted by location fraud is food delivery services. Fraudsters employ various tactics, such as falsely confirming deliveries without actually delivering the food. Some drivers even pick up orders and consume the food themselves while tricking the app into reporting successful deliveries.

To address the issue of location fraud, businesses must adopt a nuanced approach. Rather than completely avoiding geolocation, they should implement multiple layers of authentication and verification. Geolocation data can still be useful in conjunction with other data points, but it should not be blindly trusted. When discrepancies arise, businesses should use them as triggers for further investigation rather than immediate rejection.

In conclusion, the prevalence of location spoofing tools and techniques has eroded the trustworthiness of geolocation data. While businesses can still use geolocation, they should no longer rely on it as a single source of truth. Instead, they should implement multifactor authentication and verification processes to ensure the accuracy and integrity of location-related decisions.