Preventing an iOS app from getting mock locations - ios

Is it possible to make sure that GPS positions an iOS app is getting are real, and they are not fake locations illegitimately provided somehow, for example, by means of another app such as LocationHolic?
Thanks!

You could theoretically do some ip number geo lookup (e.g. How does geographic lookup by IP work?), but that's not entirely reliable (e.g. VPNs), so I'd be hesitant to dispute someone's location on the basis of that. Given that locationholic is for jailbroken devices, perhaps validate location information against ip-derived location info if, and only if, the app is running on jailbroken device. For info re ip number based geo lookup or identifying if a device is jailbroken, I'm expert in neither, but both topics are covered well elsewhere on StackOverflow or can be answered with a google search.
In short, I suspect that locations are reliable on non-jail-broken phones. Regarding "Find My iPad/iPhone" on jail-broken phones, I can't speak to that, but all rules of reliability and security are thrown out of the window on jail-broken devices, so you can't rely on it.

Related

How to prevent cloning in Ibeacons and avoid conflicts among beacons?

I am trying to develop one app with using a lot of beacons like say in any muti floor shopping mall. In this situation how can I control these
Suppose someone clones a beacon and starts advertsing the signal with same UUID, major, and minor, how to prevent that and what are the other security measures that can be taken?
How to avoid mutiple notifications, suppose somewhere conflicted by two beacons any area is common to more than one beacons, how to control that in app?
The iBeacon standard does not provide any built-in ways to prevent cloning. Apple restricts iOS devices from seeing iBeacons except for ones where the ProximityUUID is known, suggesting this may have been a rudimentary security attempt. But since other operating systems (Android, OSX Mavericks, Linux) allow reading identifiers of all iBeacons, this restriction seems rather silly. It is possible to read identifiers using a tool like Android iBeacon Locate and deploy your own iBeacon with the same identifiers.
Four common approaches to address this:
Do nothing. This is appropriate for most use cases where cloned beacons will cause minor consequences or for low profile deployments where the risk of someone doing this is minimal.
Rotate the iBeacon identifiers. You can do this manually by replacing beacons or manually changing their identifiers periodically. This does not eliminate the problem, but it limits the risk and impact on time.
Use an automated rotating identifier combined with an automated system for validating/converting it to a trusted identifier.
Abandon the iBeacon standard and use a proprietary beacon technology using encryption. This should be considered a last resort, because this choice makes it impossible to use widely available open source and commercial tools for working with iBeacons, and locks you into a single vendor.
Before you choose any option other than the first, be sure you carefully evaluate the risk and consequences of cloning, and be sure any countermeasure you take is really worth the downsides.
The multiple notification problem described in the question is generally not an issue in the absence of intentional cloning. Simply design the ProximityUUID/major/minor numbers of your beacons to be unique for each event you wish to give to users and make your app respond appropriately.
For beacon clone:
customize your beacon firmware and encrypt major/minor with a random key. If beacon and app both can access to cloud, maybe exchange random key via cloud to encrypt/decrypt the major/minor id. If no cloud is involved, beacon and app need to deal with a random key generating algorithm, ex use time as a seed.
(Encrypt with a forever fixed key is useless because clone or replay beacon advertising data still can cheat app)
Rotate UUID with a predefined table-based list. This just reduces the risk with a periodically changing UUID but not really fix the security issue. And the UUID list has a limited size because all UUIDs in list may need to pre-register in App, ex iOS, to let iOS take it as a recognized region and then pass data to your App.
For Multi-notification:
Usually, this should be handled by App.
When enter a region or beacon trigger callback, app should check if it is a duplicated region by uuid-major-minor info. App should also check if it is related notification/info has been sent to user or not to avoid user be bothered by duplicated notification.

Is it possible to track the data collected by iPhone apps in your device with relevant server names they are sent to?

I want to develop an iPhone application which can track the contents (such as location information, device hardware/sw information, contacts …etc) being collected from your device by all the applications and give a report to the end user at end of each week.
Because, I believe that end user should be notified about what information being collected by his device and sent to which servers to store them.
I Googled it and read few articles as well, but all pointed to the conclusion that a given application cannot (or restricted by Apple) peak into operations of other apps and collect any information about what those applications are doing.
But I've seen this Onovo Count app http://www.onavo.com/apps/iphone_count is collecting the data usage of all the other apps in your device, so can we just go few steps beyond that get this done ?
From the looks of it Onovo Count redirects all device traffic through a VPN. I presume their servers look at the host names of the traffic and record it against the device. When looking at the app, you're just looking at a dump of the data for your device.
For the rest of what you want to do, it is not possible on a standard device, you'd need to have it jail broken or something.

Check if iDevice with a specific app is nearby

Is it possible to check within an app, if there are other idevices nearby which have the app running?
For example device A starts the app. Device B also starts the app. When they are nearby, a notification will popup.
I know its possible to check the range between two GPS coordinates. But the only solution that I've found on the internet was, that I have to make a webservice/server which handles the coordinates which were sent by the idevices.
But I'd like to make it run "offline", without saving/sending the data at a webserver.
You can achieve exactly this using the new iBeacons functionality in iOS 7. I'm not sure I can link to the exact documentation due to the NDA currently (although the feature was mentioned publicly at WWDC), but if you search for 'beacons' on the Apple Developer site you should find what you need.
There are also some examples towards the end of this year's WWDC session 307 - "What's new in Core Location?". This is arguably more useful than the documentation.
Essentially, you define a beacon region and tell your devices to start advertising their presence. At the same time, you can listen out for beacons in the local area - CoreLocation will then report you the identifier and approximate distance of each device.

test GPS without service provider

While I found a question asked for android (http://stackoverflow.com/questions/3189188/gps-location-without-service) I couldn't find one for iOS so I thought I'd ask it. Especially since it seems to be possible in Android (see link).
I'm wondering if there's anyway to get location without a service provider. For example, I have access to an older iPhone 3GS but clearly don't want to pay any fees just to test my location services code.
I'm thinking that since location should be determinable via WIFI then maybe the only difference would be the increased precision of GPS. Maybe that'll be enough.
I actually got the answer by posting at Apple's devforums.
Basically, Location Services are independent of GPS - the APIs are identical regardless of device.
Which makes sense. Essentially, the only difference with actual GPS-based location is precision.
What fees are you worried about ? If it's mobile data charges then just switch off mobile data - the gps will still work fine!

iOS - Assisted GPS

How would I go about figuring the position of someone inside (or outside) of a given area (such as a building) using assisted GPS with IOS app?
Is it possible to have it accurate enough withing a few feet?
Is this the right way to go about it?
Is it possible to utilize more than one wifi connection in the calculation?
Your app can use the Core Location framework to determine the device location. Core Location will use whatever hardware is at its disposal to determine the device location to the degree that you request. For example, some devices have WiFi but no GPS; others have WiFi, GPS, and cellular radios. Future devices may have other location technologies built in.
The point is that as an application programmer, you don't worry about that. Instead, you say: "give me a location that's accurate to 100 meters" or "let me know when the device has moved from the current spot by more than 10 meters" or "give me the location with the best accuracy you can manage."
Again, take a look at Apple's Core Location documentation to get a better idea of how it all works.
If you're looking to track a device with, say, 1-meter resolution inside a building, you're not likely to get that from Core Location. There's been research on triangulating position using known locations of WiFi transceivers, but nothing that's implemented in any commercial smart phone that I know of. I don't believe that iOS gives you easy access to the data you'd need to do this, so it's probably not a possibility. You could, however, go the other way: program several WiFi receivers around the building to listen for any nearby devices, use that information to triangulate the devices' positions, and then make that information available via some web service.

Resources