如何确保发送到服务器的GPS位置准确?
这是我的问题:
我有一个移动应用程序,我想根据用户的位置向他们提供一些信息(比如 FourSquare )。但如何确保用户位置是真实的呢?
我的意思是,假设客户端通过 http 使用向服务器发出的请求:
恶意用户可以轻松修改这些值。
那么如何确保数值准确呢?
here is my problem :
I have a mobile app, and I want to give the user some information depending on their position ( think something like FourSquare ). But how to make sure the user position is real ?
I mean let's say the client uses a request to the server via http :
a malicious user could easily modify the values.
Then how to make sure values are accurate ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
你不能。正如您已经想到的那样,客户端始终可以操纵发送到服务器的请求。
您在服务器端唯一可以做的就是过滤不太可能的坐标(例如在海上,取决于坐标的含义)。
You can not. As you've already figured the client can always manipulate the requests sent to the server.
The only thing you can do on the serverside is to filter unlikely coordinates (for example on the sea, depending on the meaning of your coordinates).
您始终可以使用应用程序中的 pgp 加密,然后将数据包发送到服务器,服务器将解码消息,您将知道是程序发送了请求。
因此,如果用户想要伪造坐标,他将需要破解手机上的软件才能真正做到这一点。
希望这会给您一些想法...
另一方面,您可以在第一次联系服务器时发出哈希(身份验证或类似的东西),并在您的移动应用程序上进行一些简单的数学运算:
xyour_hash 和 yyour_hash 或类似的东西(应该更复杂,因为很容易猜到)
然后在服务器上:
http://www.myserver.com/getdata?lat=x&lon=是的
然后:在应用程序的服务器端:
纬度 = 纬度/你的哈希值
lon = lon/your_hash
现在,如果纬度/经度不在网格范围内,正如 JochenJung 在海中某处所说的那样……您可以忽略该请求。
仅仅因为您想识别哪个用户发送了请求,您将需要在查询字符串上进行一些识别,这可以用作附加变量来创建更好的结果。
You can always use a pgp encryption which would be in the app, then send a packet to server which will decode the message and you will know it was the program that sent a request.
So if user wants to fake the coordinates he will need to hack your software that is on the phone to actually do that.
Hope that will give you some ideas...
On the other hand you can issue a hash on first contact to the server(authentication or something like that) and have some simple math on your mobile application:
xyour_hash and yyour_hash or something like that (should be more complicated as it is easy to guess)
then on the server:
http://www.myserver.com/getdata?lat=x&lon=y
then: on the server side of the app:
lat = lat/your_hash
lon = lon/your_hash
now if the lat/lon is off the grid, so as JochenJung said somewhere in the sea... you can ignore the request.
and just because you want to identify which user has sent in request you will need some identification on the query string, that can be used as additional variable to create some better result.
有人可能会欺骗/伪造手机将 GPS 坐标设置为其他位置。正如@JochenJung 所说,总是可以更改请求。
Someone could trick/fake the phone into setting the GPS co-ords to somewhere else. As @JochenJung says, it is always possible to change the request.
我也一直在思考同样的事情,但又担心这是不可能的。
我的一些想法:
这要求客户端了解加密算法(和密钥),并再次使其可被破解。
I have been thinking about the same thing, but fear it is impossible.
Some ideas I had:
This requires the client to know about the encryption algorithm (and key) and again makes it hackable